A JWT has three parts separated by dots: header (the algorithm), payload (the claims), signature (HMAC of header + payload using a secret). The receiving server validates the signature and trusts the claims if it matches.
For VidPickr specifically, our download tokens are an HMAC-signed JWT-equivalent. The payload includes the googlevideo URL, the filename, an expiry timestamp, and optionally a proxy URL for geo-recovered content. Each /stream request decodes the token, checks the signature + expiry, and uses the embedded data to fetch and serve the content.
Why this matters: the user's browser can't modify the token (any modification breaks the signature), can't see the URL extraction mechanism (the token hides what kkdai / yt-dlp actually returned), and tokens self-expire so leaked tokens don't work for long.
Common questions
Are JWTs the same as cookies?
Related terms
Signed URL
A signed URL is a download link with cryptographic parameters that authenticate the request and expire after a set time.
Cookie (browser session)
A cookie is a small piece of data a website stores in your browser to track session state — whether you're logged in, which preferences you've set, what country you appear to be in.
VidPickr is a free, browser-based YouTube downloader. Every term in this glossary either describes how YouTube delivers video or why your downloads behave the way they do. Try the downloader →