1

I am having a very difficult time querying the YouTube search API using a key that is secured for use on Android exclusively. It seems when I remove restrictions from this key, the request works fine. When I attempt to lock it down and send the cert and package headers as described in this solution, I receive a very unhelpful 500 error:

{
    "error": {
        "errors": [
            {
                "domain": "global",
                "reason": "internalError",
                "message": "Internal Error"
            }
        ],
        "code": 500,
        "message": "Internal Error"
    }
}

Here is the request I'm attempting in cURL form, with private information redacted:

curl -X GET \
  'https://www.googleapis.com/youtube/v3/search/?q=songs&maxResults=25&key=my_api_key&part=snippet' \
  -H 'x-android-cert: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx' \
  -H 'x-android-package: com.xx.xx'

The documentation for this API indicates that support is only available here on StackOverflow. Are there any Google engineers that can help me understand why this is failing?

Brian
  • 101
  • 5
  • You maybe using the wrong 'type' of credentials (which is why it works when you remove the restriction) which is causing the error. Try to use OAuth2.0 also to authorize the request. – ReyAnthonyRenacia Apr 11 '18 at 10:17
  • 1
    Just to verify, you have your API key's 'Application Restrictions' set to 'Android apps' then you get the internalError testing from Android app? If so did you happen to Add your package name and SHA-1 signing-certificate fingerprint to restrict it further? – johnh10 Apr 11 '18 at 12:45
  • @johnh10, yes to both questions. The key restriction is set to Android, and I've whitelisted the package name and fingerprint for the key. I'm getting the same error on Android, I just posted a curl example here because it's easier to reproduce. – Brian Apr 11 '18 at 14:12
  • @noogui, OAuth2.0 would require a user authorization step, right? I'd like to avoid adding this friction because I really only need the search API and nothing related to the user's account data. – Brian Apr 11 '18 at 14:14

1 Answers1

9

After some trial and error, this appears to be caused by the format of the fingerprint sent in the x-android-cert header. Instead of accepting the same format required by the dev console (AB:CD:EF:01:23:...), it needs to be sent as a lowercased hex string (abcdef0123...). Hopefully this helps out the next soul unfortunate enough to run into this.

Brian
  • 101
  • 5
  • I can confirm this. Got error 500 from server until I lowercased the SHA-1 fingerprint. Google how about fix a better error message? – Mikael Olsson Apr 26 '18 at 11:41