Important: The Account Authentication API for the OAuth 1.0 protocol has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 authentication as soon as possible. If you are building a new application, you should use OAuth 2.0 authentication.
The OAuth protocol provides a standard way to access protected data on different websites. Whereas the AuthSub and ClientLogin methods are Google-specific, OAuth is an open protocol that can be implemented on other websites. Like AuthSub, OAuth is useful if you are building a web application that will let users link videos, comments, ratings, contacts or other information to their own YouTube accounts. OAuth may be particularly appealing to you if your application also integrates with other APIs besides the YouTube API, and those APIs also support the OAuth protocol. See http://oauth.net to learn more about Oauth.
Understanding OAuth Tokens
OAuth authentication uses two types of tokens:
- A request token ensures that an end user authorizes your application to submit API operations on the user's behalf. YouTube also uses the request token to verify that you have registered your application with Google.
- An access token enables your application to execute YouTube Data API operations on a particular user's behalf.
Note: Your application must obtain unique request and access tokens for each user. In addition, your application needs a mechanism to store access tokens for future use.
The authentication process has three stages:
Your application retrieves an unauthorized request token. Google verifies that you have registered your application before returning the token. Request tokens are only valid for one hour.
Your application redirects the user to a Google login page. The redirect URL specifies the unauthorized request token value retrieved in step 1 as well as a callback URL.
After the user logs in to her YouTube account, Google displays a page that lets the user choose whether to allow your application to perform YouTube API operations on her behalf. If the user grants your application this access, the unauthorized token will become an authorized token. (The token value does not change.) The user will also be redirected to the callback URL that you specified.
Your application exchanges the authorized request token for an access token. Only authorized tokens can be exchanged, and each request token can only be exchanged one time. The access token is associated with a single user account, and your application should use that token to submit authenticated API requests on that user's behalf.
Setting up OAuth 1.0 authentication
You must complete the following steps to enable your web application to authenticate users with the OAuth protocol:
Register your web application with Google.
Please see the Registration for Web-Based Applications page for an explanation of the registration process and the requirements for registration.
Note: All requests to obtain or use an OAuth token must be signed. Google supports the RSA-SHA1 and HMAC-SHA1 signature algorithms.
- If your application uses the RSA-SHA1 signature algorithm, you will need to upload a security certificate to Google during the registration process.
- If your application uses the HMAC-SHA1 signature algorithm, leave the certificate field blank when completing your registration. Google will generate an OAuth consumer secret value, which will display on your domain's registration page after you have completed the registration process. You will then use this value to sign requests.
Set up a mechanism to manage OAuth tokens.
After your application obtains an OAuth access token from YouTube, your application will use that token for YouTube API requests it makes on behalf of the user associated with that token. As such, your application will need to store tokens and track the user for whom each token is valid. Your application should not try to retrieve a new access token each time the application needs to interact with YouTube on a particular user's behalf. In fact, tokens should be treated as securely as any other sensitive user information that your application stores.
As noted above, OAuth 1.0 authentication has been officially deprecated as of April 20, 2012. While we recommend that you upgrade your application to OAuth 2.0 as soon as possible, if you do need to fix an existing OAuth 1.0 implementation, please refer to the following documents:
The OAuth 1.0 API Reference describes Google's implementation of the OAuth open standard for authorization, and explains how to implement OAuth 1.0a in your application.
That document includes an explanation for getting a request token, a step that involves sending a request with several query parameters. In that request, the
scopeparameter identifies the service that you are trying to access to make authenticated requests. The parameter is Google-specific and is not defined in the OAuth standards. Set the parameter value to
The OAuth 1.0 for Web Applications document explains how to get started using Google's implementation of the OAuth protocol to authorize a web application's requests for access to a user's data.
The OAuth 1.0 for Installed Applications document explains how to get started using Google's implementation of the OAuth protocol to authorize an installed application's requests for access to a user's data.