Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Pragyat-Nikunj/VidTube/llms.txt

Use this file to discover all available pages before exploring further.

VidTube uses JSON Web Tokens (JWT) for authentication. When you log in, the API issues two tokens: a short-lived access token (default expiry: 1 hour) and a longer-lived refresh token (default expiry: 10 days). You pass the access token on every request to a protected endpoint; when it expires, you use the refresh token to get a new one without logging in again.

How to get tokens

Call POST /users/login with your credentials. All three fields are required. 
curl -X POST https://vidtube-ke5w.onrender.com/api/v1/users/login \
  -H "Content-Type: application/json" \
  -d '{"email":"john@example.com","username":"johndoe","password":"secret123"}'
The response includes both tokens in the JSON body and sets them as httpOnly cookies simultaneously: 
{
  "statusCode": 200,
  "data": {
    "user": {
      "_id": "64f1a2b3c4d5e6f7a8b9c0d1",
      "username": "johndoe",
      "email": "john@example.com",
      "fullname": "John Doe",
      "avatar": "https://res.cloudinary.com/example/image/upload/v1/avatar.jpg"
    },
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  },
  "message": "User logged In successfully",
  "success": true
}

How to pass tokens

You have two options. Use whichever fits your client. Include the access token as a Bearer token in the Authorization header on every request to a protected endpoint: 
curl https://vidtube-ke5w.onrender.com/api/v1/users/current-user \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
When you log in, the API automatically sets two httpOnly cookies — accessToken and refreshToken — with the secure flag enabled in production. Browsers send these cookies automatically on subsequent requests to the same origin, so no extra headers are required.
Both authentication methods work in parallel. The middleware checks req.cookies.accessToken first, then falls back to the Authorization header. You can use either or both in the same application.

Protected endpoints

The following endpoints require a valid access token: Users
  • POST /users/logout
  • POST /users/change-password
  • GET /users/current-user
  • PATCH /users/update-account
  • PATCH /users/update-avatar
  • PATCH /users/update-cover
  • GET /users/c/:username
  • GET /users/history
Videos
  • POST /videos/publishVideo
  • PATCH /videos/updateVideo/:videoId
  • DELETE /videos/deleteVideo/:videoId
  • PATCH /videos/togglePublish/:videoId
Comments
  • POST /comments/addComment/:videoId
  • PATCH /comments/updateComment/:commentId
  • DELETE /comments/deleteComment/:commentId
Likes
  • POST /likes/video/:videoId
  • POST /likes/comment/:commentId
  • POST /likes/tweet/:tweetId
  • GET /likes/videos
Playlists
  • POST /playlist/createPlaylist
  • PUT /playlist/:playlistId/videos/:videoId
  • DELETE /playlist/:playlistId/videos/:videoId
  • DELETE /playlist/:playlistId
  • PATCH /playlist/:playlistId
Tweets
  • POST /tweets/createTweet
  • PATCH /tweets/updateTweet/:tweetId
  • DELETE /tweets/deleteTweet/:tweetId
Subscriptions
  • POST /subscription/subscribe/:channelId
  • GET /subscription/subscribedChannels/:subscriberId
  • GET /subscription/channelSubscribers/:channelId
Dashboard
  • GET /dashboard/channelStats/:channelId
  • GET /dashboard/channel/videos/:channelId
Public endpoints that work without authentication include GET /healthcheck, GET /videos/getAllVideos, GET /videos/getVideoById/:videoId, GET /comments/videoComments/:videoId, GET /tweets/getUserTweets/:userId, GET /playlist/user/:userId, GET /playlist/:playlistId, and GET /subscription/channelSubscriberCount/:channelId.

How to refresh tokens

When your access token expires, call POST /users/refresh-Token. You can send the refresh token either as a cookie (set automatically during login) or in the request body. 
curl -X POST https://vidtube-ke5w.onrender.com/api/v1/users/refresh-Token \
  -H "Content-Type: application/json" \
  -d '{"refreshToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'
A successful response returns a new access token and a new refresh token, and refreshes the cookies: 
{
  "statusCode": 200,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  },
  "message": "Access token refreshed successfully",
  "success": true
}
Access tokens expire after 1 hour by default. If you receive a 401 response on a protected endpoint, refresh your access token using POST /users/refresh-Token before retrying. Refresh tokens expire after 10 days; after that, the user must log in again.

How to log out

Calling POST /users/logout invalidates the refresh token stored on the server and clears both cookies. This endpoint requires a valid access token. 
curl -X POST https://vidtube-ke5w.onrender.com/api/v1/users/logout \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

{
  "statusCode": 200,
  "data": {},
  "message": "User logged out successfully",
  "success": true
}

Common authentication errors

StatusCauseResolution
401 UnauthorizedNo token providedAdd Authorization: Bearer <token> header or ensure cookies are sent
401 Invalid Access TokenToken is malformed or signed with a different secretRe-authenticate with POST /users/login
401 on token refreshAccess token expiredCall POST /users/refresh-Token with a valid refresh token
401 Invalid refresh tokenRefresh token is expired or has already been rotatedLog in again with POST /users/login
404 User not foundToken is valid but the associated user no longer existsLog in again with a different account

Build docs developers (and LLMs) love

Get started for freeTalk to us