Security
Security & reliability
No "military-grade encryption" claims here — just a plain description of what's actually in place.
Authentication
The free tier is deliberately keyless — there are no credentials to leak, and nothing to steal. The paid tier (opening soon) uses JWT-based authentication issued by Clerk, a dedicated auth provider, rather than home-rolled tokens.
Rate limiting
Every client is rate-limited: per IP on the free tier (10 requests/minute on transcript endpoints, 100 requests/hour overall), per key on the paid tier. This protects the service — and your latency — from any single abusive client.
Input validation
Video IDs are validated against a strict pattern ([A-Za-z0-9_-]{5,20}) before anything else happens. Malformed input is rejected with a 400 and never reaches an upstream request, a shell, or a query.
Transport
TLS everywhere. The API is served exclusively over HTTPS, as is this site.
Secrets
Credentials (proxy accounts, signing keys, service tokens) are injected at deploy time as managed secrets. They are never committed to source control and never appear in code.
Infrastructure
The API runs on Google Cloud Run: autoscaling, ephemeral containers on Google's infrastructure. Instances scale with load and are recycled regularly, which limits the blast radius of any single-instance problem.
This portal
The site you're reading is static HTML with no cookies, no logins, and no third-party scripts. The only network call it ever makes from your browser is the status page polling the public /health endpoint.
Reporting a vulnerability
Found something? Please email wldud5192@gmail.com with subject "[API] Security". You'll get a reply from a human within 24 hours, and a fix gets priority over everything else.