Is the API key for the YouTube Data API v3 known to be at risk?
I accidentally sent the API key out Give it to someone else
Public data access
Google API keys are used for accessing public data only. The main purpose for these keys is so that google can track who is accessing their public apis.
If your key starts spamming google to much they will block your key. If you keep doing it you can get your account blocked. I would say the only risk to someone getting a hold of your key is them using it to get your account blocked.
There may also be issues with your quota if you have other people using your key then you are all eating up the same quota.
TOS
Beyond that there is also a note in TOS
Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.
Google may not be happy if you violate that and start giving your key away.
Create a new one
If you did give it to someone else just go to developer console under credentials tab on the left. You will find a list of your api keys.
Delete the one you shared and create yourself a new one. The user you accidentally sent it to will no longer be able to use it.
Related
I'd like to manage the playlists on my account automatically with a program I'm going to write. To this end, I took a look at the youtube API. However, it seems to me that the only sensible way to do that is to have a Google G Suite account in order to get access to the OAuth 2.0 API. At the same time, it confuses me that I need to pay a monthly fee just to be able to manage my own playlists. Am I missing something or is this indeed the only way?
You actually don't have to pay anything for normal operations (e.g. if you're able to function within the boundaries of the default quota allocated to your app). To manage (ie. list/create/modify/delete) your channel's playlists you'll have to use the following API endpoints:
Playlists.list, Playlists.insert, Playlists.update and Playlists.delete;
PlaylistItems.list, PlaylistItems.insert, PlaylistItems.update and PlaylistItems.delete.
For read-only operations on public data it suffices to have an application key.
For write operations you'll have to familiarize yourself with OAuth 2.0 authorization in the context of this API. See a brief top level description given by one of my recent answers. Then you'll have to go through the official docs referred to therein.
For some reason, I started getting 403 errors on my app(in development), the errors message was
Access Not Configured. YouTube Data API has not been used in project XXXXXXXX....
This is weird because I was using the API for the last month or so with the same project, and didn't do any changes.
After looking in the project settings I noticed that the daily quota was reduced to 0.
The only thing concerning the API that I did was to request a quota increase in order to keep developing(The default quota stalled the dev on the search functionality of my app), but I didn't get any answer concerning that request other than asking for info, no warnings, or anything really.
I'm pretty sure that my app complies with the Terms of service, so I don't think that is the reason.
Any help would be appreciated. Thanks!
I would check your email it sounds like your project was disabled. Have you been though the verification process?
YouTube reserves the right to disable or curtail your access to, or use of, specific YouTube API Services if your API Project has been inactive for 90 consecutive days. For example, YouTube could revoke your API Credentials, or reduce (or eliminate) your API Project's quotas for specific YouTube API Services. If your API Client's quota is reduced or eliminated, you may reapply for quota or a quota extension, and YouTube will review that application based on YouTube’s determination of your expected use of the YouTube API Services.
I would check your email. I have several emails about projects i no longer use which have had the quota reduced to 0 over the last few weeks.
How to reset
No matter what the clients you have now are not going to work you need to reset the project.
Delete all client ids you have now.
deactivate then reactivate all APIs you need
Create new client ids keys
If you're trying to use an old project, then it's not gonna work. You'll have to create a new project.
Create a new project.
Enable Youtube API for it. (Your quota will be reset to 10,000/day)
Get new API key for it.
Use the new credentials.
Currently, I have been tasked to utilize the Google People API to ask for a user's basic Google information along with their public phone numbers. So far the results have been positive.
The solution my team and I have incorporated the Google People API integration in has the capacity to be utilized across thousands of domains. As a result, my question is simply, How can my team members and I ensure that any our clients that utilize our solution with their own particular domain get our new functionality built with the Google People API?
Keep in mind, our clients have the flexibility to have http/https and any subdomain on their site. Entering each domain possibility for our client base one by one would not be an easy task. I'm seriously hoping there is a solution around the single, explicit origin entries.
Thank you for your time and help.
Warning:
You must remember that if this is source code you are giving your clients that you are not allowed to release your client id and client secret. This includes plugins and scripts.
On November 5th 2014 Google made some changes to the APIs terms of Service.
Asking developers to make reasonable efforts to keep their private
keys private and not embed them in open source projects.
So if your clients could view the code of your application and see your client id and secret you should not be giving it to them.
Read more about this issue Can I really not ship open source with Client ID?
Recommendation:
The best solution for you will be to instruct your users now to create there own project on Google Developer Console and create their own JS origins.
You may just have to provide your own wrapper around the target API where you authorize the client request yourself and then do the request from Google using your own credentials.
With a simple java program, I send GET requests using YouTube Data API specifically videos.list, in order to get the public metadata of a video and store it as .json files.
For my universities research, we have to do this with all available YouTube video IDs provided in the Youtube-8M Database.
Therefore, I would like to know if there is a way to extend the available quota for requests (I already know about the billing option, but I am a student and my university is small).
I have read the YouTube API terms, which states that only one project per client may be used to send such requests with the necessary API Key.
If I understand it correctly, even my simple java code is such a client.
In some other Stack Overflow questions about extending ones daily quota with API Keys, some suggested creating multiple accounts or projects.
Is this a legal option or not? Or is there another possibility to get a higher quota for simple requests used in research like I do right now?
If you go to the Google Developer console where you enabled the YouTube API. the second tab is called quota
Click the pencil next to which ever quota it is that you are blowing out. A new window will pop up with a link called apply for higher quota.
Fill out the form to apply. To my knowledge you do not have to pay for additional YouTube quota but it can take time to get approved. Make sure you comply with everything on the form.
I have never heard of the one project per client term. Technically you can run your application using different API Keys it should work fine. Technically there is nothing wrong with creating additional projects on Google Developer console. You don't need to go as far as creating another Google account.
I'm trying to figure out wheter it is possible to have a private video on youtube that I could share with particular Google Accounts through API.
I would have a separate web application that would have a Google signup and after signup I would enable that Google Account to watch my private video.
Ideally I would also want to embed the video to the web application (but I think I can do this rather easily if I'm an owner of the video).
Ispossible to have a private video on YouTube that I could share with particular google accounts through API.
No you cant directly share a video with another user like you could a file on google drive.
You could show the video on your own site, but I am not sure its something I would want to try. The thing is being that its a private video you and you alone have access to see it. Your going to have to authenticate your application and get a refresh token back which will allow you to access the account and the videos on the account.
Then you will be able to use that refresh token to get an access token to show other people the video via your website. The problem you will have is if the refresh token stops working (rarely happens but can happen) you will have to authenticate it again before your solution will work.
Note: Service accounts don't work with YouTube API. So don't bother going down that road.
If you know the ID of a video, you can access it. You can share the ID,or an embedded link with someone.
The api only hides the info, not blocks it. So you would need to hold the info elsewhere for referencing.
So as long as you know the id's of the related video's, you can do what you want with them.
However, if you are wanting to monetise them on the side, I would recommend against it. Best to read the user agreement you have with YouTube.