If you are building a browser-based player or client-side application, use session tokens. Your API key never leaves the browser — your server calls POST /api/auth with a valid API key to receive a short-lived token, then sends that token down to the client for use on subsequent requests.
POST /api/auth requires a valid API key. The token inherits the tier of the key used to obtain it — a public key issues a public-tier token, a standard key issues a standard-tier token, and so on.
Tokens are HMAC-signed and verified server-side without shared in-memory state, so they work correctly across all server workers. Tokens expire after 30 minutes — re-fetch from /api/auth and retry when expired.
API keys are for server-side integrations and direct API access where the key is never exposed to end users.Rate limits are enforced per API key — not per IP address or per user. Each request made with the same key counts toward that key’s limit regardless of where it originates.
Tier
Rate Limit
Streaming access
public
10 req / 60s
No
standard
100 req / 60s
Yes
partner
1000 req / 60s
Yes
A public key is available for testing non-streaming endpoints:
public_api_key
The public tier cannot access the stream proxy (/api?url=...) or stream any video data. This restriction applies whether authenticating with a public API key directly or with a session token obtained from a public key. Streaming requires a standard or partner key, or a session token obtained from one.
Standard and partner keys are no longer issued publicly. Submit a request to get one.
Rate limits are tracked per API key. Session token requests (authenticated via X-Session-Token) are not subject to rate limiting — only direct API key usage is counted.When a limit is exceeded the API returns 429 with a JSON body:
Use session tokens if your code runs in a browser. Putting an API key in client-side JavaScript exposes it in network requests — session tokens exist to prevent that. Your server fetches the token using its API key and passes it to the client.Use API keys if your code runs on a server where the key is never sent to the browser.