Getting Error 429 when creating message thread/group both using library and PSN website

[isFakeAccount]

The endpoint https://us-gmsg.np.community.playstation.net/groupMessaging/v1 does not work when creating new message threads/groups and it always returns Error 429.

Interestingly this also happens on the PSN official website. If I try to send a message to someone new the website shows me an error Message not sent'

Error Code details: (I can send the next message in 51 years xD)

You are able to send messages if you initiate the conversation from PSN Android App. Perhaps Sony disabled this endpoint on purpose. Has anyone figured out creating threads/groups endpoint from the PSN App? Also, see if you are able to reproduce the same error on the PSN website or perhaps using this library.

[Bornhall]

Did anyone get anywhere with this? I've been writing my own PSN sort-of-api in PHP, and for what I use it for it works, with the exception of adding anyone to an existing thread. Basically, I get 429 response code from not only my own PSN api, but also from Chrome, Safari and Firefox logged in on my.playstation.com – just returns error code 2122251: Rate limit exceeded in all instances. Curious if this somehow works on other platforms like Android and iOS (just tried on iOS, and it works fine there too).

I'm using basic CURL to send requests, the function in question looks like this, and should work :)

public function addToThread($psnId, $threadId) {
    $headers = [];
    $endpoint = 'https://se-gmsg.np.community.playstation.net/groupMessaging/v1/threads'.'/'.$threadId.'/users';
    curl_reset(self::$curlh);
    if( !is_null(self::$curlf) && false !== self::$curlf ) {
        curl_setopt_array(self::$curlh, [
            CURLOPT_VERBOSE => true,
            CURLOPT_STDERR => self::$curlf,
        ]);
    }
    curl_setopt_array(self::$curlh, [
        CURLOPT_URL => $endpoint,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => json_encode([
            'userActionEventDetail' => [
                'targetList' => [
                    ['onlineId' => $psnId],
                ],
            ],
        ]),
        CURLOPT_MAXREDIRS => 0,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER => [
            'Accept-Language: en-US',
            'User-Agent: '.self::USER_AGENT,
            'Authorization: Bearer '.self::$state['access_token'],
            'Origin: https://my.playstation.com',
            'Referer: https://my.playstation.com/',
            'Content-Type: application/json; charset=utf-8',
        ],
        CURLOPT_HEADERFUNCTION => function($curl, $header) use (&$headers) {
            $len = strlen($header);
            $header = explode(':', $header, 2);
            if(count($header) < 2) {    // ignore invalid headers
                return $len;
            }
            $headers[strtolower(trim($header[0]))][] = trim($header[1]);
            return $len;
        },
    ]);
    $response = curl_exec(self::$curlh);
    file_put_contents('response.txt', $response);
}

Obviously it uses some external references to the CURL handle, access token and some other stuff for debugging, but same as with the browsers, it yields a 429 response with the "Rate limit exceeded" error message.

{"error":{"code":2122251,"message":"Rate limit exceeded"}}

Curious as to if someone has captured traffic from the PSN app on iOS/Android to see what differs?

[isFakeAccount]

@Bornhall

Curious as to if someone has captured traffic from the PSN app on iOS/Android to see what differs?

I tried to do that but it is quite difficult. Even on a rooted device. The App would detect that the traffic is being redirected through the middleman and just stop working altogether.

I used the same methods on the XBOX app and I was able to sniff the traffic relatively easily.

[Bornhall]

I tried to do that but it is quite difficult. Even on a rooted device. The App would detect that the traffic is being redirected through the middleman and just stop working altogether.

Ok, that's a bummer, but many thanks for the input Vlad, appreciate the feedback!

[Tustin]

Yeah, this endpoint is the old API which as far as I've seen has been completely disabled. I'm able to sniff traffic on iOS and I'm in the process of updating the library to use the new version of their API (along with a bunch of other changes).

[Bornhall]

Here's my "quick and dirty" PSN class: kvickpsn.zip

Not sure if this is of any interest to anyone, but this is my simple "cobbled-together" class for the basic functionality that I need (checking threads basically, replying to messages when needed). Seems to work for the moment at least, dunno what "version" of the API it uses (says v1 in the URLs, but not sure if that is any indication of anything) but for what it does it seems to work, getting the npsso from https://ca.account.sony.com/api/v1/ssocookie after logging in (per Vlad's tip).

Do note that this is not production code of any kind, it contains a lot of debug code, but if anyone wants to use it – I'm fine with that (improvements most welcome, just tag on @gmail.com to my username if you want to get in touch). Most of the credit needs to go to Josh and Vlad as well in some respect, much of it is based on information gathered from their respective works. The only requirement is the React\EventLoop, which is easily installed with composer.

Note: It needs a valid PSN id and account id (the numerical one) in the kvickpsn.php class, and first time login needs a valid npsso code from a logged in account supplied to the authenticate() method.

@Tustin – if this is overstepping or misplaced, feel free to remove it, no hard feelings.

[isFakeAccount]

@Tustin how tf. Maybe I know what method you used?

I was using httptoolkit with adb traffic monitoring.

I also tried to repack the apk so it accepts the certificate. But no luck. The app just kept crashing if I modify it even a little bit.

[Tustin]

@Tustin how tf. Maybe I know what method you used?

SSL Killswitch 2 works fine. You'll need to be jailbroken to use it. I'm on iOS13 so I'm not sure if it will still work on the iOS14+ jailbreaks.

[isFakeAccount]

I installed this xposed framework called just trust me. But my Safety Net started failing. And the psn wouldn't not work. I was able to sniff xbox traffic though.

[stipey]

@Bornhall Hey. Thanks for providing the script. As my current refresh token expired today, I ran your script to create a new one, but using it with this API causes a Invalid refresh token error. Any idea what I might be doing wrong? I'm just running it with a newly created npsso and grabbing the refresh_token from the json.

[Bornhall]

@Bornhall Hey. Thanks for providing the script. As my current refresh token expired today, I ran your script to create a new one, but using it with this API causes a Invalid refresh token error. Any idea what I might be doing wrong? I'm just running it with a newly created npsso and grabbing the refresh_token from the json.

@stipey If it helps anyone, you're welcome! I'm not sure that the refresh token you get from my script can be used with Tustin's code that uses other api endpoints, if that's what you are trying to do?

I did just now perform a refresh on my own here just to check, and the new refresh token worked for my code. I did the following steps:

1. Logged out and in again to the PSN account I want to use with KvickPSN (used Chrome).
2. Pointed my browser to [https://ca.account.sony.com/api/v1/ssocookie]() and snagged the npsso code from there (not the entire JSON string)
3. Called the authenticate() method of KvickPSN with the npsso code, which retrieves a new refresh token and saves it in the JSON file.
4. Checked that it worked, and it did.

But if I understand correctly you did get the refresh token, but it just didn't work. Was that with KvickPSN or Tustin's PSN-PHP?

Also, I chucked the code (basically same as above) here for future reference: [https://github.com/Bornhall/kvickpsn]()

[stipey]

@Bornhall Hey. Thanks for providing the script. As my current refresh token expired today, I ran your script to create a new one, but using it with this API causes a Invalid refresh token error. Any idea what I might be doing wrong? I'm just running it with a newly created npsso and grabbing the refresh_token from the json.

@stipey If it helps anyone, you're welcome! I'm not sure that the refresh token you get from my script can be used with Tustin's code that uses other api endpoints, if that's what you are trying to do?

I did just now perform a refresh on my own here just to check, and the new refresh token worked for my code. I did the following steps:

1. Logged out and in again to the PSN account I want to use with KvickPSN (used Chrome).

2. Pointed my browser to https://ca.account.sony.com/api/v1/ssocookie and snagged the npsso code from there (not the entire JSON string)

3. Called the authenticate() method of KvickPSN with the npsso code, which retrieves a new refresh token and saves it in the JSON file.

4. Checked that it worked, and it did.

But if I understand correctly you did get the refresh token, but it just didn't work. Was that with KvickPSN or Tustin's PSN-PHP?

Also, I chucked the code (basically same as above) here for future reference: https://github.com/Bornhall/kvickpsn

@Bornhall You are right, and it dawned on me while testing that the refresh code I get using your code might not work in the Tustin code, which was my intent. Thanks for getting back to me, much appreciated.

[quangtn]

Got similar Error 42 with endpoint https://us-gmsg.np.community.playstation.net/groupMessaging/v1 which is the same as PSN site. I thought I accidentally ran multiple loops and got my account blocked but it seems to happen with new PSN account I just create for testing as well. I had to use iOS PSN app to create thread/group with the player manually before sending message work on PSN website. Hope someone has any insight on this.

[natrix5369]

Hi! has anyone sniff to traffic using xbox, android, ios? have any ideas how to add users to messageThread? The site gives error 429 :(

[isFakeAccount]

@Bornhall I used to get the thread Id with the endpoint

https://us-gmsg.np.community.playstation.net/groupMessaging/v1/users/me/threadIds?withOnlineIds=<onlineID>

However, recently it stopped working as well and gives me Error 429 with the following message

'{"error":{"code":2122251,"message":"Rate limit exceeded"}}'

Curious what endpoint do you use to get the threads that the logged-in user has joined?

[Bornhall]

@Bornhall I used to get the thread Id with the endpoint

https://us-gmsg.np.community.playstation.net/groupMessaging/v1/users/me/threadIds?withOnlineIds=<onlineID>

However, recently it stopped working as well and gives me Error 429 with the following message

'{"error":{"code":2122251,"message":"Rate limit exceeded"}}'

Curious what endpoint do you use to get the threads that the logged-in user has joined?

Yeah, I'm experiencing the same thing myself.

Just testing around a bit last night, but didn't get anywhere really. Don't know if @Tustin has anything to contribute with, but I'll tag him anyway. I managed to lift the "authorization: Bearer <refresh token>" from Chrome (logged in to my.playstation.com) and got it working until that token expired. But that was just temporary.

I haven't got the time to dive into the communication between the browser and PSN, but I think it may well just be a stop-gap solution either way, since it looks like they are going to discard the My PlayStation pages sooner rather than later. Better if someone can figure out how the apps are talking to the PSN server instead.

Anyone else have anything on this, feel free to add your thoughts/solutions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[isFakeAccount]

Has anyone find endpoint for message threads?