If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/youtube/api-samples shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Stale and unlicensed — last commit 2y ago

• 8 active contributors
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Single-maintainer risk — top contributor 86% of recent commits
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live youtube/api-samples repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/youtube/api-samples.

What it runs against: a local clone of youtube/api-samples — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in youtube/api-samples | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 728 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of youtube/api-samples. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/youtube/api-samples.git
#   cd api-samples
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of youtube/api-samples and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "youtube/api-samples(\\.git)?\\b" \\
  && ok "origin remote is youtube/api-samples" \\
  || miss "origin remote is not youtube/api-samples (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "README.md" \\
  && ok "README.md" \\
  || miss "missing critical file: README.md"
test -f "java/pom.xml" \\
  && ok "java/pom.xml" \\
  || miss "missing critical file: java/pom.xml"
test -f "java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java" \\
  && ok "java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java" \\
  || miss "missing critical file: java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java"
test -f "dotnet/Google.Apis.YouTube.Samples.sln" \\
  && ok "dotnet/Google.Apis.YouTube.Samples.sln" \\
  || miss "missing critical file: dotnet/Google.Apis.YouTube.Samples.sln"
test -f "go/oauth2.go" \\
  && ok "go/oauth2.go" \\
  || miss "missing critical file: go/oauth2.go"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 728 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~698d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/youtube/api-samples"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Official Google code samples demonstrating the YouTube Data API v3, YouTube Analytics API, and YouTube Live Streaming API across 9 programming languages (Java, PHP, Python, JavaScript, C#, Go, Ruby, HTML, CSS). It provides ready-to-run examples for common YouTube operations like video upload, playlist management, search, and analytics querying without requiring developers to build integrations from scratch. Flat monorepo structure: language-specific directories (java/, python/, javascript/, dotnet/, go/, php/, ruby/, apps-script/) each contain independent sample projects with their own dependency files. java/ uses Maven (pom.xml at root), dotnet/ uses .NET project files (.csproj), go/ uses Go modules (implicit), apps-script/ uses Google Apps Script (.gs files). No shared library code; each language implements patterns idiomatically.

Backend and full-stack developers integrating YouTube functionality into applications—such as those building video management dashboards, social media platforms with YouTube embedding, or analytics tools—who need language-specific reference implementations and OAuth 2.0 authentication patterns.

Production-ready reference material maintained by Google. The repo demonstrates mature API bindings (e.g., google-api-services-youtube v1.22.0 in pom.xml), but is primarily a sample repository rather than a framework—individual samples are stable but the repo itself is not a versioned product with SemVer. Commit recency and issue backlog are not visible from the file structure provided, so assess via GitHub directly.

Low risk as reference code, but each language directory has independent dependency management (pom.xml for Java, packages.config for .NET, requirements.txt patterns for Python)—keeping all 9 language stacks current is logistically heavy. OAuth credentials (client_secrets.json files in go/ and dotnet/) must never be committed; samples rely on developers understanding OAuth setup. Java samples pin specific API versions (v3-rev182-1.22.0) which may lag upstream YouTube API changes.

Unable to determine from file structure alone. Check GitHub Issues, Pull Requests, and commit history directly. Typical maintenance likely includes: updating pinned API versions (see pom.xml v3-rev182), adding samples for new API features (e.g., YouTube Shorts, new analytics metrics), and fixing OAuth flow examples as Google's authentication standards evolve.

Clone and navigate to your target language: git clone https://github.com/youtube/api-samples.git && cd api-samples/java (or python/, dotnet/, etc.). For Java: mvn clean install then examine sample files like java/src/main/java/com/google/api/services/samples/youtube/cmdline/. For others, follow language-specific setup in each directory's README.md (java/README.md, dotnet/README.md, go/README.md, etc.).

Daily commands: Language-dependent. Java: cd java && mvn package && java -cp target/classes:$HOME/.m2/repository/com/google/apis/google-api-services-youtube/v3-rev182-1.22.0/google-api-services-youtube-v3-rev182-1.22.0.jar com.google.api.services.samples.youtube.cmdline.ClassName. Python: cd python && python sample_name.py. Go: cd go && go run quickstart.go. C#/.NET: cd dotnet && dotnet run or open .sln in Visual Studio. Each sample requires valid OAuth credentials in client_secrets.json.

• README.md — Top-level guide explaining repo structure across multiple language implementations and API types; essential reference for understanding sample organization.
• java/pom.xml — Maven configuration defining all Java dependencies (YouTube API v3, Analytics, Reporting) and build configuration; blocks all Java samples.
• java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java — Core OAuth2 authentication handler used across all Java samples; failure breaks all authenticated requests.
• dotnet/Google.Apis.YouTube.Samples.sln — Root .NET solution file orchestrating all C# sample projects; entry point for .NET developers.
• go/oauth2.go — OAuth2 flow implementation for all Go samples; handles token acquisition and refresh across samples.
• javascript/auth.js — Browser-based OAuth2 and authentication client used by all JavaScript/HTML samples; critical for client-side auth.
• java/src/main/resources/client_secrets.json — Template credentials file showing required OAuth client structure; all Java samples reference this pattern.

Add a new Java Data API Sample

1. Create new Java class in java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/ extending pattern from Search.java or PlaylistUpdates.java (java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/[NewSample].java)
2. Import Auth class and instantiate YouTube service: YouTube youtube = Auth.authorize(scopes, appName); (java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java)
3. Build API request using YouTube service methods (e.g., youtube.search().list("snippet")) (java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/[NewSample].java)
4. Add maven dependency if needed and verify pom.xml includes google-api-services-youtube (java/pom.xml)

Add a new JavaScript/Browser Sample

1. Create new .html file in javascript/ directory with form/UI elements following pattern from search.html or my_uploads.html (javascript/[new_feature].html)
2. Create corresponding .js file implementing Google API Client Library load and auth flow from auth.js (javascript/[new_feature].js)
3. Import gapi and handle gapi.load('client', initializeYouTubeAPI) with oauth2.getToken() for authentication (javascript/auth.js)
4. Call youtube.search().list() or appropriate method and update DOM with results (javascript/[new_feature].js)

Add a new Go Sample

1. Create new .go file in go/ directory following pattern from search_by_keyword.go or upload_video.go (go/[new_feature].go)
2. Call retrieveToken() and newYouTubeService() from oauth2.go to get authenticated service (go/oauth2.go)
3. Use YouTube client methods (e.g., service.Search().List()) to build and execute API calls (go/[new_feature].go)
4. Reference client_secrets.json.sample for OAuth credential template structure (go/client_secrets.json.sample)

Add a new Live Streaming Sample

1. Create new Java class in java/src/main/java/com/google/api/services/samples/youtube/cmdline/live/ following CreateBroadcast.java pattern (java/src/main/java/com/google/api/services/samples/youtube/cmdline/live/[NewLiveSample].java)
2. Authenticate using Auth class and get YouTube service with https://www.googleapis.com/auth/youtube scope (java/src/main/java/com/google/api/services/samples/youtube/cmdline/Auth.java)
3. Build broadcast/stream/liveChatMessage request using youtube.liveBroadcasts(), youtube.liveStreams(), or youtube.liveChatMessages() methods (java/src/main/java/com/google/api/services/samples/youtube/cmdline/live/[NewLiveSample].java)

• Java + Maven — Primary sample language; Google API Client Library for Java is most mature; Maven enables dependency management across multiple sample projects
• Google API Client Library (multi-language) — Officially supported SDK for YouTube Data, Analytics, Live Streaming, and Reporting APIs; handles OAuth2, serialization, and retry logic
• OAuth2 (three-legged flow) — Required for user-authenticated operations (uploads, playlist management, analytics); each language implements same conceptual flow with local token caching
• Go, C#, JavaScript, Apps Script — Demonstrate API consumption across diverse platforms (CLI tools, desktop apps, web browsers, serverless cloud functions)
• Client Secrets JSON pattern — Standard OAuth2 credential structure recognized by Google API Client Libraries across all languages; enables rapid setup

• Monorepo containing language-specific subdirectories vs. separate per-language repos
  • Why: Allows centralized issue tracking, documentation, and versioning; demonstrates cross-language consistency
  • Consequence: Repo size grows; developers must navigate language

1. OAuth credentials required: Every sample needs a valid client_secrets.json with OAuth 2.0 credentials from Google Cloud Console (client ID, secret, redirect URI); the repo includes .sample files but not actual secrets. 2. API version pinning: Java samples pin very specific API library versions (v3-rev182-1.22.0 from 2015–2016 era in pom.xml)—these may be outdated; verify against latest Google API client releases. 3. Language-specific tooling: Each language directory is independent; mvn clean install works for Java but won't help with Python or Go—you must cd into the specific language directory first. 4. Redirect URI mismatches: OAuth samples hardcode localhost:8080 or similar; if your OAuth app is registered with a different redirect URI, authentication will fail silently. 5. No centralized testing or CI config: File list shows no top-level test/ directory or .github/workflows—samples may be minimally tested; assume each language directory maintains its own test hygiene (or none).

• OAuth 2.0 Authorization Code Grant Flow — Every sample in this repo requires OAuth credentials; understanding the authorization code flow (user login → redirect → token → API call) is essential to properly authenticate and avoid credential leaks.
• Resumable Uploads (Multipart & Chunked) — YouTube video uploads are large binary payloads; samples like UploadVideo.cs and corresponding Java/Python versions use resumable uploads to handle retries and progress tracking—critical for reliability.
• Service Account vs. OAuth 2.0 User Authorization — Samples demonstrate user-facing OAuth (requires human login) but not service accounts; understanding when to use each (user data access vs. bot automation) is key to choosing the right sample pattern.
• API Quotas and Rate Limiting — YouTube API has per-user and per-project quotas (e.g., 10,000 units/day for Data API); samples don't implement backoff or quota management, so production use must add exponential backoff and quota tracking.
• Pagination and Partial Responses — YouTube API returns large result sets (search results, playlists, uploads); samples use pageToken and maxResults parameters to paginate—understanding this prevents fetching all data unnecessarily.
• API Versioning and Backward Compatibility — The pom.xml pins google-api-services-youtube to v3-rev182 (specific revision); Google releases new revisions with breaking changes—samples may break if dependencies auto-update without manual verification.
• Cross-Language API Client Library Generation — All 9 language implementations use auto-generated Google API client libraries from a common API definition; understanding that samples mirror the same API surface (just in different languages) helps you learn faster.

• googleapis/python-api-core — Foundational library used by google-api-python-client; understand this if debugging Python sample issues or contributing Python examples.
• googleapis/google-api-go-client — Official Go client library generator and runtime; the go/ samples depend on this—review for Go API integration patterns.
• googleapis/google-api-java-client — Underlying Java client library (google-api-services-youtube depends on it); reference for understanding Java OAuth and HTTP transport in samples.
• googledeveloper/youtube-api-samples — Alternative/legacy YouTube sample repository; check if you need samples in languages not covered here or legacy API versions.
• google/google-auth-library-python — Python's official OAuth and authentication library; required for understanding credential handling in python/ samples.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add Python language sample directory with YouTube Data API quickstart

The repo has samples for apps-script, dotnet, go, and java, but notably lacks Python samples. Python is one of the most popular languages for API integrations and has official Google client libraries. A new python/ directory with quickstart.py, search_by_keyword.py, upload_video.py, and playlists.py would mirror the existing go/ and dotnet/ samples and serve a large audience.

• [ ] Create python/ directory with README.md following the pattern of go/README.md and dotnet/README.md
• [ ] Add python/quickstart.py demonstrating OAuth2 flow and basic API call
• [ ] Add python/search_by_keyword.py (equivalent to go/search_by_keyword.go and dotnet/Search.cs)
• [ ] Add python/upload_video.py (equivalent to go/upload_video.go and dotnet/UploadVideo.cs)
• [ ] Add python/playlists.py (equivalent to go/playlists.go and dotnet/PlaylistUpdates.cs)
• [ ] Add python/requirements.txt with google-auth-oauthlib, google-api-python-client dependencies
• [ ] Add python/client_secrets.json.sample (following go/client_secrets.json.sample pattern)

Add GitHub Actions CI workflow to validate Java samples build and run tests

The java/ directory has a pom.xml with multiple modules (Analytics, Data API samples) but there's no CI to ensure samples compile. This creates a risk of samples bitrotting with dependency updates. A GitHub Actions workflow would catch build failures early when dependencies are updated.

• [ ] Create .github/workflows/java-ci.yml that runs 'mvn clean compile' for the java/ directory
• [ ] Configure the workflow to trigger on pull requests modifying files in java/ or pom.xml
• [ ] Ensure workflow tests against multiple Java versions (11, 17) to catch compatibility issues
• [ ] Add explicit authentication setup if any integration tests require YouTube API credentials (use secrets)
• [ ] Document the CI status in java/README.md with a badge

Create sample-level README files documenting what each snippet demonstrates

The java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/ directory contains many samples (Captions.java, ChannelBulletin.java, CommentThreads.java, GeolocationSearch.java, etc.) but there's no documentation explaining what each one does or which API methods they demonstrate. Adding a java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/README.md would help contributors understand sample organization and find relevant examples.

• [ ] Create java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/README.md with a table listing each sample file
• [ ] For each sample (Auth.java, Captions.java, ChannelBulletin.java, etc.), document: the API resource(s) used, the methods demonstrated, and the use case
• [ ] Add a similar README for java/src/main/java/com/google/api/services/samples/youtube/cmdline/analytics/
• [ ] Include command-line execution instructions for running individual samples from the pom.xml
• [ ] Link back from the main java/README.md to these new sample documentation files

• Add Go modules go.mod file and update go/oauth2.go to use context package: The go/ directory (19,986 bytes) lacks a go.mod file for dependency management. Add modern Go module support and refactor oauth2.go to use context.Context for cancellation—aligns with Go 1.16+ best practices.
• Create missing Python requirements.txt and update samples to use google-auth-oauthlib: Python samples (152,091 bytes) have no visible requirements.txt in the file list. Create one pinning google-auth, google-auth-oauthlib, and google-api-python-client versions, and ensure all python/*.py samples are compatible.
• Add TypeScript definitions and async/await patterns to JavaScript samples: JavaScript samples (75,585 bytes) likely use older callback-based patterns; modernize them with async/await and add a tsconfig.json + .d.ts files for TypeScript support, improving developer experience.

The YouTube API samples repository has several critical security concerns: hard

• High · Hardcoded Credentials in Repository — dotnet/client_secrets.json. The file 'dotnet/client_secrets.json' appears to be a credentials file committed to the repository. This is a common anti-pattern that can expose sensitive OAuth2 credentials, API keys, or client secrets to anyone with repository access. Fix: Remove client_secrets.json from the repository immediately. Add it to .gitignore. Store credentials securely using environment variables, secure vaults, or configuration management systems outside of version control. Update git history using tools like BFG Repo-Cleaner or git-filter-branch to remove any historical commits containing this file.
• High · Hardcoded Credentials in Go Sample Directory — go/client_secrets.json.sample. The file 'go/client_secrets.json.sample' suggests presence of sample credentials. While the '.sample' suffix indicates it's meant as a template, if actual credentials exist in a non-sample file, they would be exposed in the repository. Fix: Ensure that actual 'client_secrets.json' files are never committed. Use only '.sample' or '.example' template files with placeholder values. Document in README.md how users should obtain their own credentials and place them in non-versioned files.
• High · Outdated and Potentially Vulnerable Dependencies — java/pom.xml (dependencies section). The Maven pom.xml uses very old dependency versions: google-api-services-youtube v3-rev182-1.22.0, google-http-client 1.20.0, and google-oauth-client 1.20.0. These versions are from 2016-2017 era and likely contain multiple known security vulnerabilities. No dependency version constraints are specified, increasing risk of supply chain attacks. Fix: Update all dependencies to the latest stable versions immediately. Use dependency management tools like Maven Dependency Check or OWASP DependencyCheck to identify known vulnerabilities. Implement a process for regular dependency updates and vulnerability scanning. Consider using version constraints (e.g., 1.20.0+) and platforms like Dependabot for automated updates.
• Medium · Insecure Repository URL in Maven — java/pom.xml (repository URL). The Maven repository URL uses HTTP instead of HTTPS: 'http://google-api-client-libraries.appspot.com/mavenrepo'. This allows for potential man-in-the-middle (MITM) attacks during dependency downloads. Fix: Change the repository URL from HTTP to HTTPS: 'https://google-api-client-libraries.appspot.com/mavenrepo'. Always use HTTPS for all repository connections to prevent dependency tampering and credential interception.
• Medium · No Security Policy or Vulnerability Disclosure Guidelines — Repository root. As a public repository containing code samples, there is no visible SECURITY.md file or vulnerability disclosure policy. This makes it difficult for security researchers to responsibly report vulnerabilities. Fix: Create a SECURITY.md file that outlines responsible vulnerability disclosure practices, including contact information for reporting security issues. Include guidelines for handling security vulnerabilities in the samples.
• Medium · Lack of Input Validation Documentation — Multiple sample files (java/src/main/java/com/google/api/services/samples/youtube/cmdline/data/*). API sample code may demonstrate patterns that users could replicate insecurely. Without clear documentation on input validation and output encoding, developers using these samples as templates may inadvertently create vulnerable applications. Fix: Add security best practices documentation to each sample. Include examples of proper input validation, output encoding, error handling, and OAuth2 security considerations. Include comments in code samples highlighting security-critical sections.
• Low · Missing .gitignore Configuration Files — Repository root and language-specific directories. While .gitignore files exist in some directories, there's no clear evidence of comprehensive coverage for all sensitive files across all language-specific directories. IDE-generated files, build artifacts, and temporary files may be committed. Fix: Ensure a comprehensive .gitignore file exists at the repository root covering common build artifacts, IDE files, OS-specific files, and especially any files that might contain credentials or API keys. Consider using a global .gitignore template and language-specific exclusions.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.