# Stremio Token-in-URL Research

**Conclusion:** Token-in-URL is the universal standard in the Stremio addon ecosystem. No alternative exists.

## Evidence

### Stremio Addon SDK (Official)
Source: `https://github.com/Stremio/stremio-addon-sdk/blob/master/docs/api/responses/stream.md`

The `Stream` response object supports `infoHash` (torrent magnet) or `url` (direct link). There is **no** concept of addon-side auth headers, client-side tokens, or debrid credential injection. The addon returns metadata; the client is responsible for debrid resolution.

### AIOStreams (Viren070/aiostreams)
Source: `https://github.com/Viren070/AIOStreams` README

> "AIOStreams dynamically applies your debrid keys, so you only have to configure it once."

Token-in-URL pattern (self-hosted):
- `https://aiostreams.elfhosted.com/stremio/manifest.json?realdebrid=TOKEN`
- Token is a **query parameter** (not path) in the manifest URL

### Torrentio (TheBeastLT/torrentio-scraper)
Source: community documentation, public manifest schema

Token-in-URL pattern (self-hosted or public):
- `https://torrentio.strem.fun/realdebrid=TOKEN/manifest.json`
- Token is in the **URL path** (not query)

### Comet, MediaFusion, Jackettio
All follow the same pattern — debrid tokens embedded in the manifest URL, either as query params or path segments.

## Security Implications

**URLs containing tokens may appear in:**
- OkHttp interceptor debug logs (mitigated by `SensitiveLogSanitizer`)
- HTTP referrer headers if the addon redirects to external resources
- Server access logs on the addon host
- Android logcat in debug builds

**Unspooled mitigations:**
- `SensitiveLogSanitizer.sanitizeUrl()` redacts query strings and path-based token patterns
- `ManifestUpdateManager.redactUrl()` redacts path tokens before logging
- `AIOStreamsConfigBuilder` only logs credential count, never values
- `buildTorrentioUrl()` return value is never logged
- User must trust the addon host (elfhosted, strem.fun, etc.) — this is identical to every other Stremio client

## Why This Can't Change

The Stremio addon protocol (v2-4) has no mechanism for:
1. Client-provided auth headers
2. Per-request token injection by the client
3. Encrypted credential storage negotiated between client and addon

The addon receives a plain HTTP GET for `/stream/{type}/{id}.json` with no auth context. Debrid resolution requires the addon to query the debrid API, which requires the token. The only place the token can go is in the URL.

**This is not a Unspooled design flaw — it's the fundamental architecture of the Stremio ecosystem.**
