Repackage

Authentication

Bearer API keys for the REST API and OAuth 2.1 for MCP.

Repackage has two authentication paths depending on what you're calling.

SurfaceMethodUse when
REST APIAuthorization: Bearer rpk_...You're calling the API from a backend, script, or CI job.
MCP serverOAuth 2.1 (PKCE)You're connecting an agent like Cursor or Claude Desktop.

Both flows resolve to an organization, not a user. Quotas, billing, and access live at the org level.

REST API: Bearer keys

Mint a key

  1. Sign in at app.repackage.app.
  2. Go to Keys in the dashboard sidebar.
  3. Click Create key, give it a name (e.g. production), copy the key shown once. The plaintext is never stored — if you lose it, mint a new one.

Keys are prefixed rpk_ so you can recognize them in logs.

Send the header

curl https://api.repackage.app/transcript?id=dQw4w9WgXcQ \
  -H "Authorization: Bearer rpk_your_key_here"

Anonymous access during rollout

While the API is in transition, unauthenticated requests still work but are rate limited per IP and respond with a Deprecation: true header plus a Link header pointing here. New endpoints (bulk, playlist, channel) require a key from day one.

HTTP/1.1 200 OK
Deprecation: true
Link: <https://repackage.app/docs/authentication>; rel="deprecation"

Rotate or revoke

In the dashboard, click Revoke next to a key. The next call using that key returns:

{
  "error": {
    "code": "invalid_api_key",
    "message": "API key is invalid or revoked.",
    "retryable": false
  }
}

MCP: OAuth 2.1

The MCP server (https://api.repackage.app/mcp) is OAuth-protected. MCP clients that follow the MCP authorization spec discover the auth server via:

GET https://api.repackage.app/.well-known/oauth-protected-resource/mcp

The flow uses PKCE (S256). Clients need an OAuth client registered with the Repackage auth server unless dynamic client registration is explicitly enabled for the deployment.

Scopes:

  • transcripts:read — call any of the transcript tools.
  • library:read — read your saved videos and projects (future).
  • youtube:read — read connected YouTube channel status, saved research, and outliers.
  • youtube:sync — sync connected YouTube channel analytics.

Cursor / Claude Desktop install snippets →

Security notes

  • Treat keys like passwords. Don't commit them. Rotate on suspicion.
  • Server-to-server only — never embed an API key in a browser bundle. Use a backend proxy.
  • We log the last used time per key so you can spot stale keys in the dashboard.

Quickstart

Pull a transcript in 30 seconds.

Plans and limits

What's included on Free vs Pro, and what happens at the limit.

On this page

REST API: Bearer keysMint a keySend the headerAnonymous access during rolloutRotate or revokeMCP: OAuth 2.1Security notes