Tubask

Security

Your YouTube API key stays yours — encrypted, never shared across accounts. MCP access is read-only with OAuth-linked sessions.

API key handling

  • Fernet encryption at rest for stored YouTube API keys
  • Keys are validated against Google before save — invalid keys are rejected
  • We use your key only to fulfill your MCP requests — not sold or used for training
  • Each account is isolated — no shared key pool

Restrict your key to YouTube Data API v3 in Google Cloud. See API key guide.

Authentication

  • Argon2id password hashing for web accounts
  • Signed, time-limited session cookies for the dashboard
  • OAuth 2.0 links each MCP client to your account — passwords never sent to Claude or Cursor
  • Rate limiting on auth endpoints

OAuth & accounts

MCP tools are read-only

Unroll tools only read public YouTube data — search, metadata, captions, comments. We never post comments, upload videos, modify playlists, or access your personal YouTube login.

Transport & headers

  • Production MCP endpoint over HTTPS
  • Security headers on HTTP responses (CSP, HSTS where applicable)
  • Streamable HTTP transport — no arbitrary code execution on your machine

What we don't do

  • Store full video content or re-host YouTube media
  • Train models on your queries or transcripts
  • Share API keys between users
  • Bypass Google's Terms of Service or API policies

Your responsibilities

  • Keep your Unroll password and API key confidential
  • Rotate API keys if you suspect leakage
  • Comply with YouTube Terms of Service and API Services policies
  • Don't use the service to scrape at abusive volume
Questions about data handling? See our Privacy Policy, Terms of Service, and Cookie Policy.