yt-dlp: "Sign in to confirm you're not a bot"
This yt-dlp error means YouTube flagged your request as automated. Here is what actually triggers it, the fixes that work, and how to avoid it entirely.
What the error means
YouTube decided your request looks like a bot and now demands a signed-in, verified session before it will serve the video. yt-dlp surfaces that as “Sign in to confirm you’re not a bot.” It is a server-side wall, not a bug in yt-dlp.
Why it happens
- Your IP is flagged — data-center and VPS ranges (and IPv6) trip it fastest.
- No PO token: YouTube increasingly wants a Proof-of-Origin token yt-dlp cannot always mint.
- No cookies: an anonymous client looks more like a scraper than a browser.
- Volume: too many requests from one IP in a short window.
Fixes that work
Start by passing real browser cookies so the request looks like a logged-in session:
yt-dlp --cookies-from-browser chrome "https://youtu.be/dQw4w9WgXcQ"If it still fails: force IPv4 with --force-ipv4, install a JS runtime (Deno) so yt-dlp can generate a PO token, route through a residential proxy instead of your VPS IP, and update to the latest nightly — the extractors change often.
The permanent fix: don't fight the wall
Cookies expire, IPs get re-flagged, and PO tokens change. A hosted API keeps fresh sessions, residential IPs, and PO tokens on the server side, so your code just asks for a URL and gets one back:
curl "https://tunelio.dev/create?url=https://youtu.be/dQw4w9WgXcQ&quality=720p" \
-H "Authorization: Bearer tnl_your_api_key"Next steps
New accounts get 100 free credits, no card required. If you keep hitting the bot wall in production, that is the signal to move the extraction off your own IP.
Frequently asked questions
Does adding cookies always fix it?
Often, but not forever. Cookies expire and a flagged IP can still be challenged, so cookies are a patch rather than a durable fix.
What is a PO token?
A Proof-of-Origin token YouTube uses to verify the client. yt-dlp needs a JS runtime to mint one, and the scheme changes over time.
Will a hosted API hit the same wall?
It handles the wall for you — rotating residential IPs, fresh sessions, and PO tokens live server-side, so your app never sees the challenge.