Browser flow
Browser routes intentionally use a different credential from machine clients.
GET /web/identityreturns an optional project-issued certificate envelope,{"payload":"...","signature":"..."}. It sendsAccess-Control-Allow-Origin: *andCache-Control: public, max-age=300. Missing or invalid configuration returns503.POST /web/verifyaccepts{"token":"ONE_USE_TURNSTILE_TOKEN"}. The API calls Cloudflare Siteverify with its secret and a new idempotency UUID. Production validation requiressuccess=trueplus the configured hostname and action. Success returns{"access_token":"PAYLOAD.SIGNATURE","expires_at":UNIX_SECONDS}.GET /web/sessionsendsAuthorization: Bearer ACCESS_TOKENand returns{"valid":true,"expires_at":UNIX_SECONDS}.GET /web/capabilitiessends the bearer header and advertises optional features. DLP is available only when enabled, correctly configured, and healthy.- Normal scraper flow:
POST /web/scrapesends the same bearer header andScrapeRequest. It returns the standard response with every/media/...value recursively rewritten to/web/media/...;GET /web/media/{platform}/{post_id}/{filename}streams the cached file. - Private download flow: allocate, submit, poll, and stream an asynchronous
/web/dlp/jobs/...job. YouTube always takes this path in the official client; cookies are optional browser-generated ciphertext. See Private downloads (DLP).
Signed session format
Section titled “Signed session format”The access token contains a URL-safe base64 JSON payload and an HMAC-SHA256 signature, separated by a period. Claims contain issued-at (iat), expiry (exp), and a random nonce. TURNSTILE_SESSION_SECRET must contain at least 32 characters. Maximum age defaults to 43,200 seconds, is clamped to 60–86,400 seconds, and falls back to the default when unparsable.
Authorization: Bearer PAYLOAD.SIGNATUREInvalid, expired, missing, or wrongly signed sessions return 401. The API does not set cookies itself; the official Next.js BFF puts this token into an HttpOnly, SameSite=Strict cookie and adds the bearer header server-side.