Private APIs usage

[Zekfad]

Suppose I found API endpoint which is not documented in this docs, am I allowed to use it? Please clarify it on that help page: Destiny Account Restrictions and Banning Policies. Currently it only says:

Accessing the publicly-facing Bungie.net and Companion web APIs in a manner that does not create an unreasonable load on these services.

Also Terms of Use says:

Your application must not attempt to sign in to Bungie.net using HTTP authentication cookies. This includes reverse engineering the sign-in flow used by Bungie.net or the companion apps or by using authentication cookies extracted from a user’s session.

You may not otherwise reproduce, modify, distribute, decompile, disassemble or reverse engineer any portion of the Bungie.net API or API Data.

But I'd like to clarify if I'm allowed to use the undocumented APIs? Also what does it mean to "reverse engineer Bungie.net API or API Data"? Does it mean pen-testing the API server?

[jshaffstall-bng]

It's probably best to not be using undocumented APIs.

But if you find one that you think should be public and documented, you can let us know here.

[delphiactual]

https://www.bungie.net/Platform/User/Search/Prefix/{username}

[jshaffstall-bng]

If that Bungie Name prefix search API isn't public and documented, that sounds like an oversight on our part. Pinging @Achronos-BNG to clarify.

[Zekfad]

It's probably best to not be using undocumented APIs.

Alright, so will I be punished if I do use them? If it is explicitly prohibited?

[Achronos-BNG]

While it is generally discouraged from using undocumented APIs (they can and do change behavior without warning), this particular API not being documented (/user/search/prefix/) is an oversight. It will be added to the documentation in a future release, but feel free to use it now.

[krigga]

what about this one

POST https://www.bungie.net/Platform/Destiny2/Actions/Items/DismantleItem/ [
  DestinyItemAdvancedActionRequest {
    actionToken: 'String',
    itemInstanceId: 'String',
    characterId: 'String',
    membershipType: 'Number'
  }
]

[justrealmilk]

what about this one

POST https://www.bungie.net/Platform/Destiny2/Actions/Items/DismantleItem/ [
  DestinyItemAdvancedActionRequest {
    actionToken: 'String',
    itemInstanceId: 'String',
    characterId: 'String',
    membershipType: 'Number'
  }
]

You can't use this without using one of Bungie's own API keys so yes it's very discouraged and a violation 😂

[jshaffstall-bng]

/user/search/prefix/ is now documented and public. /DismantleItem/ doesn't work for any clients so avert thine eyes.