YouTube MCP Server

# Security Policy ## API Key Security Your YouTube Data API key should be kept secure and never shared publicly. ### Best Practices 1. **Never commit API keys to version control** - The `.gitignore` file excludes `.env` files by default - Always use environment variables for API keys - Never hardcode API keys in source code 2. **Restrict your API key** (Recommended) - Go to Google Cloud Console → Credentials - Click on your API key - Under "API restrictions", select "Restrict key" - Choose "YouTube Data API v3" only - This prevents misuse if your key is exposed 3. **Use separate keys for different environments** - Use different API keys for development and production - Rotate keys periodically 4. **Monitor API usage** - Check your quota usage regularly in Google Cloud Console - Set up quota alerts to detect unusual activity - Review API logs for suspicious requests ### What to Do If Your API Key Is Compromised If you believe your API key has been exposed: 1. **Immediately delete the compromised key** in Google Cloud Console 2. **Create a new API key** with proper restrictions 3. **Update your configuration** with the new key 4. **Review API logs** for any unauthorized usage 5. **Consider reporting** to Google Cloud Support if you see abuse ### Configuration Security When sharing your MCP configuration: - Never share your actual API key - Use placeholder text like `"YOUR_API_KEY_HERE"` - Ensure `.env` files are in `.gitignore` ### Reporting Security Issues If you discover a security vulnerability in this project: - **Do not** open a public issue - Open a private security advisory on GitHub - Or email the maintainers directly - Provide details about the vulnerability and potential impact ## Data Privacy This MCP server: - Does not collect or store any user data - Only makes API requests you explicitly initiate - Does not transmit API keys or sensitive data anywhere except to YouTube's official API - Runs entirely on your local machine ## Dependencies This project uses several npm dependencies. To check for security vulnerabilities: ```bash npm audit ``` Update dependencies regularly to get security patches: ```bash npm update ``` ## YouTube API Terms of Service By using this software, you agree to comply with: - [YouTube Terms of Service](https://www.youtube.com/t/terms) - [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy) - [YouTube API Services Terms of Service](https://developers.google.com/youtube/terms/api-services-terms-of-service) Key points: - Respect video privacy settings - Don't scrape content beyond what the API provides - Don't use this for spam or abuse - Comply with rate limits and quotas ## License This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.