I have been writing youtube bot functionality for subscribing channels for which youtube sends an authorization header as authentication mechanism,now as per this question the hashing algorithm used by youtube should be
sha1(new Date().getTime() + ' ' + SAPISID + ' ' + origin)
So I tested it out and it seems to work for other requests such as gmail but for this specific functionality on youtube the sapisidhash seems to be different,for one the generated hash has _u in the end that is added to it
SAPISIDHASH 1737533199_99687cec7b36bd2ca2ed4cb15023490f1c468019_u SAPISID3PHASH 1737533199_99687cec7b36bd2ca2ed4cb15023490f1c468019_u
also, a thing to note is that it's repeating twice for some reason.
Now I also know of this comment which suggests that the hashing algorithm for hashes ending with "_u" seems to be
sha1 of {seed number} {timenow} {your SAPISID} {site origin}
But that seems to only apply to the request on google drive as the request I am making has no seed number.
I am pasting the request down below,omiting the session credentials,please use your cookies to compute
POST /youtubei/v1/subscription/subscribe?prettyPrint=false HTTP/2
Host: www.youtube.com
Cookie: VISITOR_INFO1_LIVE=t-hn9K-Jth0; VISITOR_PRIVACY_METADATA=CgJJThIEGgAgPQ%3D%3D; PREF=f7=4100&tz=Asia.Calcutta&f4=4000000&autoplay=true&f5=30000; wide=0; __Secure-3PSID=*redacted*; __Secure-3PAPISID=*redacted*; LOGIN_INFO=*redacted*; __Secure-AA; __Secure-3PSIDTS=*redacted^; ST-4n4ru8=session_logininfo=*redacted
Content-Length: 3686
Sec-Ch-Ua-Full-Version-List: "Google Chrome";v="131.0.6778.265", "Chromium";v="131.0.6778.265", "Not_A Brand";v="24.0.0.0"
Sec-Ch-Ua-Platform: "Windows"
**Authorization: SAPISIDHASH 1737533199_99687cec7b36bd2ca2ed4cb15023490f1c468019_u SAPISID3PHASH 1737533199_99687cec7b36bd2ca2ed4cb15023490f1c468019_u**
Sec-Ch-Ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
Sec-Ch-Ua-Bitness: "64"
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Mobile: ?0
X-Youtube-Client-Name: 1
Sec-Ch-Ua-Wow64: ?0
X-Origin: https://www.youtube.com
X-Youtube-Client-Version: 2.20250116.10.00
Sec-Ch-Ua-Arch: "x86"
Sec-Ch-Ua-Full-Version: "131.0.6778.265"
Content-Type: application/json
Sec-Ch-Ua-Form-Factors: "Desktop"
X-Youtube-Bootstrap-Logged-In: true
X-Goog-Visitor-Id: Cgt0LWhuOUstSnRoMCi26MO8BjIKCgJJThIEGgAgPQ%3D%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
X-Goog-Authuser: 0
Sec-Ch-Ua-Platform-Version: "10.0.0"
Accept: */*
Origin: https://www.youtube.com
X-Client-Data: CKy1yQEIl7bJAQiktskBCKmdygEIru/KAQiSocsBCImjywEI6ZjNAQiFoM0BCP6lzgEIotTOAQju1c4BCPHVzgEI+dfOAQj92c4BCNzazgEI+tvOAQjI3M4BGM/VzgEY7NrOAQ==
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: same-origin
Sec-Fetch-Dest: empty
Referer: https://www.youtube.com/VICENews
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,lb;q=0.7,hi;q=0.6
Priority: u=1, i
{"context":{"client":{"hl":"en","gl":"IN","remoteHost":"2401:4900:1cdf:6c48:3545:f255:f630:96e5","deviceMake":"","deviceModel":"","visitorData":"Cgt0LWhuOUstSnRoMCi26MO8BjIKCgJJThIEGgAgPQ%3D%3D","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36,gzip(gfe)","clientName":"WEB","clientVersion":"2.20250116.10.00","osName":"Windows","osVersion":"10.0","originalUrl":"https://www.youtube.com/VICENews","screenPixelDensity":1,"platform":"DESKTOP","clientFormFactor":"UNKNOWN_FORM_FACTOR","configInfo":{"appInstallData":"CLbow7wGEN6tsQUQvZmwBRDBws4cEOvCzhwQppOxBRDCt84cENO5zhwQ26-vBRCdprAFEK7BzhwQ37TOHBDT4a8FEOLUrgUQg8OxBRDDu84cEJrOsQUQytixBRCU_K8FEP68zhwQjdSxBRDqw68FEMTYsQUQ-rjOHBC8ss4cEJmNsQUQr8LOHBDB2v8SEMrUsQUQ55rOHBCPw7EFEMnmsAUQ18GxBRDM364FEI7QsQUQ4M2xBRDlubEFEKLUsQUQhaexBRDBq84cEJ7QsAUQ9quwBRC3768FEIvUsQUQzdGxBRC-irAFEI3MsAUQwLfOHBC_ws4cEN68zhwQgdaxBRCio84cEL22rgUQmdL_EhDh7LAFEO25sQUQ5s-xBRCGrM4cEIjjrwUQ2arOHBD_vM4cEIS9zhwQyNixBRCIh7AFEIqhsQUQlLvOHBDL0bEFENCyzhwQ-KuxBRD8ss4cEInorgUQmZixBRDcyM4cEJLLsQUQt-r-EhCU_rAFEKaasAUQt6TOHBDQjbAFEKuezhwQjtexBRDRlM4cEMn3rwUQgcOxBRDG2LEFEPaGsQUQkrjOHBDr6P4SEMHNsQUQjNCxBRCHw7EFEO26zhwQ0LDOHCooQ0FNU0doVVJvTDJ3RE5Ia0J2UHQ4UXVQOUE2UmhnYldmS1BfQkIwSA%3D%3D","coldConfigData":"CLbow7wGGjJBT2pGb3gzTnp4cEhZeHpZMWNScVdheEtKTENhalI2dWFndHU5WDl3SUtabU5UeGN2USIyQU9qRm94MzlrSnZ0VFk5OWRKTlZqQlBIeTliS3Ezc1ZOVDBCYjBiQ3RlVFNweTlMemc%3D","coldHashData":"CLbow7wGEhQxMDU2MzU5Mjc4Mjg3MzI3MTYxMRi26MO8BjIyQU9qRm94M056eHBIWXh6WTFjUnFXYXhLSkxDYWpSNnVhZ3R1OVg5d0lLWm1OVHhjdlE6MkFPakZveDM5a0p2dFRZOTlkSk5WakJQSHk5YktxM3NWTlQwQmIwYkN0ZVRTcHk5THpn","hotHashData":"CLbow7wGEhQxMTk5MTE1OTk3MTg4MzgxMTg5ORi26MO8BjIyQU9qRm94M056eHBIWXh6WTFjUnFXYXhLSkxDYWpSNnVhZ3R1OVg5d0lLWm1OVHhjdlE6MkFPakZveDM5a0p2dFRZOTlkSk5WakJQSHk5YktxM3NWTlQwQmIwYkN0ZVRTcHk5THpn"},"screenDensityFloat":1.25,"userInterfaceTheme":"USER_INTERFACE_THEME_LIGHT","timeZone":"Asia/Calcutta","browserName":"Chrome","browserVersion":"131.0.0.0","acceptHeader":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","deviceExperimentId":"ChxOelEyTWpjek16QTVNekV4T0RBMk5EazJNdz09ELbow7wGGLXow7wG","rolloutToken":"CIDjmKycmvzKlwEQnLHQ16bEiQMYkMbyrv2GiwM%3D","screenWidthPoints":1536,"screenHeightPoints":738,"utcOffsetMinutes":330,"connectionType":"CONN_CELLULAR_4G","memoryTotalKbytes":"8000000","mainAppWebInfo":{"graftUrl":"https://www.youtube.com/VICENews","pwaInstallabilityStatus":"PWA_INSTALLABILITY_STATUS_UNKNOWN","webDisplayMode":"WEB_DISPLAY_MODE_BROWSER","isWebNativeShareAvailable":true}},"user":{"lockedSafetyMode":false},"request":{"useSsl":true,"internalExperimentFlags":[],"consistencyTokenJars":[{"encryptedTokenJarContents":"AKreu9vptTKdk7iDJKq0-AUYXmfqV6eWB64LRj6dK14ssIx9p_3RlK_b_9GFAKkBT9g7PhNmVq2zws3tu2SAeg9dfiXZ-Medyq11Au1nfyWxCrUUSsWtiSxIXQQ","expirationSeconds":"600"}]},"clientScreenNonce":"GlmF6VRmCcF2LZ1l","clickTracking":{"clickTrackingParams":"CCQQmysYASITCPKI95K5iYsDFeyM2AUd-7UqVTIJY2hhbm5lbHM0"},"adSignalsInfo":{"params":[{"key":"dt","value":"1737533150944"},{"key":"flash","value":"0"},{"key":"frm","value":"0"},{"key":"u_tz","value":"330"},{"key":"u_his","value":"5"},{"key":"u_h","value":"864"},{"key":"u_w","value":"1536"},{"key":"u_ah","value":"824"},{"key":"u_aw","value":"1536"},{"key":"u_cd","value":"24"},{"key":"bc","value":"31"},{"key":"bih","value":"738"},{"key":"biw","value":"1519"},{"key":"brdim","value":"0,0,0,0,1536,0,1536,824,1536,738"},{"key":"vis","value":"1"},{"key":"wgl","value":"true"},{"key":"ca_type","value":"image"}]}},"channelIds":["UCZaT_X_mc0BI-djXOlfhqWQ"],"params":"EgIIAhgA"}
Here's how the hash is generated:
sha1([DATASYNC_ID, TIMESTAMP, SAPISID, ORIGIN].join(" "))
WITH:
DATASYNC_ID = ytcfg.data_.DATASYNC_ID.split('||')[0]
TIMESTAMP = Math.floor(new Date().getTime() / 1E3)
SAPISID = cookies['SAPISID']
ORIGIN = "https://www.youtube.com"
The authorization header seems to be a repeat of {TIMESTAMP}_{sha1_hash}_u
for each of SAPISIDHASH
, SAPISID1PHASH
and SAPISID3PHASH
:
authorization: SAPISIDHASH {TIMESTAMP}_{sha1_hash}_u SAPISID1PHASH {TIMESTAMP}_{sha1_hash}_u SAPISID3PHASH {TIMESTAMP}_{sha1_hash}_u