This document is aligned with the active routes in internal/transport/http/router.go.
All JSON endpoints use a consistent response envelope:
{
"success": true,
"data": {}
}Or on error:
{
"success": false,
"error": {
"code": "...",
"message": "..."
}
}Note: proxy and merge endpoints may return binary streams.
- Simple JSON health check.
- Example fields:
status,timestamp.
- Returns public backend settings such as
public_base_url,merge_enabled,upstream_timeout_ms,allowed_origins, andmax_download_size_mb.
- Returns public runtime stats (visits, extractions, downloads).
- This endpoint also records a visitor hit per request.
Core endpoints are exposed under two prefixes with the same handlers.
Primary frontend runtime flow targets signed /api/web/* routes.
POST /api/web/extractGET /api/web/proxyGET /api/web/downloadPOST /api/web/merge
Additional middleware on this group:
- Origin check (
RequireOrigin) - Anti-bot filter (
BlockBotAccess) - Web signature verification (
RequireWebSignatureusingX-Downaria-Timestamp,X-Downaria-Nonce,X-Downaria-Signature) - Merge route is additionally gated by
MERGE_ENABLED(RequireMergeEnabled)
POST /api/v1/extractGET /api/v1/proxyGET /api/v1/downloadPOST /api/v1/merge(registered only whenWEB_INTERNAL_SHARED_SECRETis empty)
The /api/v1/* group does not apply origin-protection or anti-bot middleware.
POST /api/v1/merge should be treated as conditional compatibility mode, not the default production runtime path.
- Request JSON:
{ "url": "...", "cookie": "optional" } - Validates
http/httpsURL, selects extractor through the registry, executes extraction, and records extraction metrics. - Success response returns the extracted payload in
data(no nestedresult).
- Required query:
url - Optional query:
head=1,download=1 - Supports forwarding
Rangefor stream/seek. head=1returns header metadata (X-File-Size,Content-Type) without a body.- File size behavior is mode-aware:
- Preview/proxy mode (
download=0): capped at 10 GB (maxProxyPreviewSizeMB) - Download mode (
download=1): capped byMAX_DOWNLOAD_SIZE_MB
- Preview/proxy mode (
- HEAD metadata requests are deduplicated with singleflight and cached for
45s.
- Same handler as proxy endpoint but forced download mode.
- Equivalent to proxy request with
download=1. - Applies
MAX_DOWNLOAD_SIZE_MBcap and sets attachment-orientedContent-Disposition.
- Base request JSON fields:
url,videoUrl,audioUrl,quality,format,filename,userAgent,platform. - Supports three request modes:
- YouTube URL fast-path (
urlwith YouTube host): resolves separate streams viayt-dlp, then merges via FFmpeg. - Direct pair merge (
videoUrl+audioUrltogether): merges non-YouTube stream pairs directly via FFmpeg. - Audio-only conversion (
format=m4a|mp3or matchingquality): extracts audio stream and returnsm4aormp3.
- YouTube URL fast-path (
- Validation rules:
videoUrlandaudioUrlmust be provided together.- If direct pair is not used,
urlis required. - Non-YouTube
urlis only accepted for audio-only conversion.
- Response is a binary attachment stream.
- Merge output size is capped by
MAX_MERGE_OUTPUT_SIZE_MB. - Response includes
Content-Disposition: attachmentwith resolved output filename. - Runtime default is signed
POST /api/web/merge; publicPOST /api/v1/mergeis conditional (only whenWEB_INTERNAL_SHARED_SECRETis unset). - When
CONCURRENT_MERGE_ENABLED=true, direct pair merges use concurrent download + worker pool execution.
- Required query:
url - Optional query:
chunk=1 - Behavior:
- no
chunk: playlist path, parse and rewrite variant/segment URLs back to HLS proxy route chunk=1: segment path, direct streaming passthrough
- no
- Headers:
- Playlists:
Cache-Control: no-cache - Segments:
Cache-Control: public, max-age=86400, immutable - CORS:
Access-Control-Allow-Origin: *
- Playlists:
- Exposes text-format Prometheus-compatible content delivery metrics.
- Includes active download/merge/HLS gauges, operation counters, cache hit counters, and average duration/throughput series.
Examples:
# Video merge (fast-path, signed web route)
curl -X POST "http://localhost:8081/api/web/merge" \
-H "X-Downaria-Timestamp: <unix-seconds>" \
-H "X-Downaria-Nonce: <random-nonce>" \
-H "X-Downaria-Signature: <hmac-signature>" \
-H "Content-Type: application/json" \
-d '{"url":"https://www.youtube.com/watch?v=dQw4w9WgXcQ","quality":"1080p","format":"mp4"}'
# Audio-only (M4A, signed web route)
curl -X POST "http://localhost:8081/api/web/merge" \
-H "X-Downaria-Timestamp: <unix-seconds>" \
-H "X-Downaria-Nonce: <random-nonce>" \
-H "X-Downaria-Signature: <hmac-signature>" \
-H "Content-Type: application/json" \
-d '{"url":"https://www.youtube.com/watch?v=dQw4w9WgXcQ","format":"m4a","filename":"track.m4a"}'
# Direct pair merge (non-YouTube streams, signed web route)
curl -X POST "http://localhost:8081/api/web/merge" \
-H "X-Downaria-Timestamp: <unix-seconds>" \
-H "X-Downaria-Nonce: <random-nonce>" \
-H "X-Downaria-Signature: <hmac-signature>" \
-H "Content-Type: application/json" \
-d '{"videoUrl":"https://cdn.example.com/video.m3u8","audioUrl":"https://cdn.example.com/audio.m3u8","filename":"clip.mp4"}'GET /api/v1/statusis not present in the current router.- Legacy documentation that references that status endpoint is no longer valid.
- Router behavior is controlled by
internal/transport/http/router.go. POST /api/v1/mergeis intentionally not registered whenWEB_INTERNAL_SHARED_SECRETis configured.cmd/server/main.gocurrently requiresWEB_INTERNAL_SHARED_SECRET, so production deployments should use signed/api/web/merge.