5

PO Token Guide

coletdjnz edited this page 2026-03-11 08:01:45 +13:00

Table of Contents

• YouTube PO Token Guide
• Introduction
• Cases where a PO Token is required
• Current PO Token enforcement
• PO Token Provider Plugins
• Featured Plugins
• Other PO Token related tools
• Technical details

Go to YouTube Extractor Wiki

YouTube PO Token Guide

Tip

TL;DR recommended setup: Use a PO Token Provider plugin to provide the mweb client with a PO Token for GVS requests.

See the notice in the YouTube Extractor Wiki for more information on the current state of downloading videos from YouTube.

• YouTube PO Token Guide
  • Introduction
  • Cases where a PO Token is required
    • Current PO Token enforcement
  • PO Token Provider Plugins
    • Featured Plugins
  • Other PO Token related tools
  • Technical details

Introduction

Proof of Origin (PO) Token is a parameter that YouTube requires to be sent with requests from some clients. Without it, requests for the affected clients' format URLs may return HTTP Error 403, or result in your account or IP address being blocked.

A PO Token is generated by an attestation provider on Web, Android and iOS platforms to attest the requests are coming from a genuine client.

For yt-dlp, you can provide PO Token(s) using the po_token extractor argument, or you can install a plugin that hooks into the YouTube extractor to handle fetching a PO Token.

For more technical details on these tokens, refer to the technical details section.

Cases where a PO Token is required

There are currently three cases yt-dlp may require PO Tokens for video downloads, depending on the client used:

• GVS: Google Video Server requests (video streaming - https, dash, hls, etc.)
• Player: Innertube player requests (fetch video format URLs)
• Subs: Subtitle requests

The PO Tokens may be generated differently for each of these cases, depending on the client.

Current PO Token enforcement

YouTube is at present rolling out changes to enforce PO Tokens for video playback. Currently, only GVS and Subs require PO Tokens for some clients.

Client	PO Token Required For	Notes
web	Subs, GVS	Only SABR formats available
web_safari	GVS*	Same as web. *Provides HLS (m3u8) formats which do not require PO Token for GVS at this time.
mweb	GVS
tv	Not required	All formats DRM'd if cookies (logged-in or active guest) aren't passed. Only SABR formats available in some cases
tv_simply	GVS	Account cookies not supported
web_embedded	Not required	Only embeddable videos available
web_music	GVS
web_creator	GVS	Requires account cookies
android	GVS or Player	Account cookies not supported
android_vr	Not required	"Made for kids" videos are not available
ios	GVS or Player	Account cookies not supported

For all clients:

• GVS PO Token is not required for YouTube Premium subscribers
• HLS live streams do not require a PO Token (excluding ios client)

You can select what client to use with the player_client extractor argument.

PO Token Provider Plugins

Tip

Recommended

Manually extracting PO Tokens is no longer recommended. YouTube now binds PO Tokens to the video ID, so a new token needs to be generated for each video.

It is recommended to use a PO Token Provider plugin to automatically fetch and provide PO Tokens to yt-dlp.

Featured Plugins

Note

These plugins are not affiliated with yt-dlp

• bgutil-ytdlp-pot-provider by Brainicism
  • A PO Token Provider which uses BgUtils to generate PO Tokens. Maintained by a yt-dlp maintainer
• yt-dlp-getpot-wpc by coletdjnz
  • A PO Token Provider which uses YouTube in the browser to generate PO Tokens. Useful as a fallback/alternative if the above fails. Maintained by a yt-dlp core maintainer

Check out the yt-dlp-pot-provider GitHub topic for more PO Token Provider plugins.

For developers, refer to the PO Token Provider developer documentation

Other PO Token related tools

• BgUtils by LuanRT
  • Utility to generate PoTokens and run BotGuard attestation challenges.
• YouTube Trusted Session Generator by Invidious
  • A generator for getting a session that passes all the checks from YouTube side

Technical details

PO Tokens are still an active area of research, and at the same time YouTube is continuously updating the implementation and enforcement. The following information is based on the current understanding of PO Tokens, and is subject to change.

A PO Token is generated by either BotGuard (Web), DroidGuard (Android), iOSGuard (iOS). A PO Token from one platform cannot be used on another (i.e., Web PO Token cannot be used on Android or iOS).

PO Tokens have a "content binding", meaning they are bound to the user session (Visitor ID or account Session ID) or to the video ID. Most PO Tokens (such as for web GVS/Player) are bound to the video ID, so a new token is required for each video.

These PO Tokens have a limited lifespan (possibly as short as 12 hours), so they will need to be refreshed periodically. However, some reports suggest that the token may be valid for several months.

If you are interested, we recommend checking out the BgUtils project which does a deeper dive into the BotGuard attestation process.