YouTube OAuth Lifecycle on Workers

Use KV for short-lived OAuth state and D1 for long-lived tokens.

State Management

• Generate random 16-byte hex state.
• Save oauth_state:<state> in KV with 5-minute TTL.
• Delete state after successful verification (one-time use).

Token Storage

Persist in D1 (youtube_auth):

• access_token
• refresh_token
• expires_at
• channel metadata and scopes

Auto-refresh Rule

When fetching access token:

• If expires_at - now < 300 seconds, refresh before returning token.

if (record.expires_at - now < 300) {
  await refreshAccessToken();
}

Operational Notes

• Keep client secret and redirect URI in Workers secrets.
• Always request access_type=offline and prompt=consent to receive refresh token reliably.