BotGuard is the core of YouTube's 2024-onwards anti-bot defense. The JS is downloaded as part of the player bundle, obfuscated with aggressive control-flow flattening and dead-code injection. When it runs, it samples dozens of signals: user agent, screen resolution, WebGL renderer, canvas fingerprint, timing of user interactions, audio context characteristics, the order of API calls during page load.
These signals are combined into a signed token (PoToken) that YouTube's servers validate. A genuine browser session produces a token YouTube accepts; a headless browser missing some signals produces a token that gets rejected. Rejections silently downgrade the user to lower-resolution-only formats — the player still works, just at 480p.
For downloaders: bypassing BotGuard isn't a one-time crack. The signaling shape changes every few weeks. The viable approaches are to execute BotGuard rather than imitate its output (run a real or headless browser), or to piggyback on a cookie session that has already produced valid tokens (the route our backend uses).
Common questions
Does BotGuard affect regular YouTube users?
Related terms
PoToken (Player Token)
PoToken is a signed token YouTube's player generates in the browser as proof that the request comes from a real player session, not a scraper.
Signed URL
A signed URL is a download link with cryptographic parameters that authenticate the request and expire after a set time.
IP fingerprinting
IP fingerprinting is the practice of evaluating an IP address against its history, ASN, country, type (residential vs datacenter), and behavioral patterns to decide how to treat requests.
VidPickr is a free, browser-based YouTube downloader. Every term in this glossary either describes how YouTube delivers video or why your downloads behave the way they do. Try the downloader →