Skip to content

Cookie Authentication

LucQuebec edited this page Jul 2, 2026 · 1 revision

Cookie Authentication

Some sites require the user to be logged in to access content. yt-dlp handles this via a Netscape-format cookies file passed with the --cookies option.


The Netscape cookie format

yt-dlp expects a plain text file where each line represents one cookie:

# Netscape HTTP Cookie File
<domain>  <includeSubDomains>  <path>  <secure>  <expiry>  <name>  <value>

Fields are separated by tabs. Example:

# Netscape HTTP Cookie File
.example.com	TRUE	/	TRUE	0	sessionid	abc123xyz
.example.com	TRUE	/	TRUE	0	csrftoken	def456uvw

Option 1 — Export cookies from a browser (desktop)

The easiest method if your users can log in on a desktop browser:

  1. Install a browser extension that exports cookies in Netscape format (e.g. "Get cookies.txt LOCALLY" for Chrome/Firefox)
  2. Export cookies for the target site
  3. Transfer the .txt file to the device
  4. Pass it to the request:
YtDlpRequest request = new YtDlpRequest(url)
        .addOption("--cookies", "/sdcard/Download/cookies.txt")
        .setOutputTemplate(outputPath);

Option 2 — Extract cookies from an Android WebView

If your app has a WebView where the user logs in, Android's CookieManager gives you access to the session cookies.

Step 1 — Let the user log in via WebView

WebView webView = new WebView(context);
webView.getSettings().setJavaScriptEnabled(true);
webView.setWebViewClient(new WebViewClient() {
    @Override
    public void onPageFinished(WebView view, String url) {
        // Detect successful login by URL change
        if (url.contains("example.com") && !url.contains("/login")) {
            onLoginSuccess();
        }
    }
});
webView.loadUrl("https://www.example.com/login");

Step 2 — Read and export the cookies

import android.webkit.CookieManager;
import java.io.*;

public static File exportCookiesToFile(Context context, String domain)
        throws IOException {
    CookieManager cm = CookieManager.getInstance();
    String rawCookies = cm.getCookie("https://" + domain);

    if (rawCookies == null || rawCookies.isEmpty()) {
        throw new IOException("No cookies found for " + domain +
                " — is the user logged in?");
    }

    File cookieFile = new File(context.getFilesDir(), "cookies_" + domain + ".txt");
    StringBuilder sb = new StringBuilder("# Netscape HTTP Cookie File\n");

    for (String pair : rawCookies.split(";")) {
        pair = pair.trim();
        int eq = pair.indexOf('=');
        if (eq < 0) continue;
        String name  = pair.substring(0, eq).trim();
        String value = pair.substring(eq + 1).trim();

        // <domain>  <subDomains>  <path>  <secure>  <expiry>  <name>  <value>
        sb.append(".").append(domain).append("\tTRUE\t/\tTRUE\t0\t")
          .append(name).append("\t").append(value).append("\n");
    }

    try (FileWriter fw = new FileWriter(cookieFile)) {
        fw.write(sb.toString());
    }
    return cookieFile;
}

Step 3 — Use the cookies file in your request

File cookiesFile = exportCookiesToFile(context, "example.com");

YtDlpRequest request = new YtDlpRequest(videoUrl)
        .addOption("--cookies", cookiesFile.getAbsolutePath())
        .setOutputTemplate(outputPath);

YtDlp.executeAsync(request, progressCallback);

Step 4 — Clean up after use

Cookie files contain session tokens — treat them like passwords:

// Delete after the download completes
cookiesFile.delete();

Important notes

  • Cookie expiry — Session cookies have a limited lifespan. If a download fails with a 401 or 403 error after a period of inactivity, the user needs to log in again and new cookies must be exported.
  • Security — Never log cookie file contents. Store cookie files in the app's private internal storage (context.getFilesDir()), which is inaccessible without root.
  • Pro version — The Pro version (curl-cffi) eliminates the need for cookies on sites that use TLS fingerprinting by impersonating a real browser at the network level.

Troubleshooting

No cookies found → The user is not logged in to the site in your WebView, or the domain name doesn't match exactly.

403 error even with cookies → The cookies have expired or the site requires additional headers. Try adding:

request.addOption("--add-header", "Referer:https://www.example.com/");

The extractor is attempting impersonation → Cookies alone are not enough for this site — it requires TLS fingerprint impersonation. Use the Pro version.

Clone this wiki locally