Post: Call of Duty API Endpoints
09-23-2017, 03:07 PM #1
Tustin
Balls of Steel
(adsbygoogle = window.adsbygoogle || []).push({}); Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

Resources:

API URLs:
IW: You must login or register to view this content.
BO3: You must login or register to view this content.

Platform Identifiers (used for 'platform' parameter):
PSN - psn
Xbox Live - xbl
Steam - steam

Endpoints:

User Stats:
GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

Leaderboards:
GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

Quatermaster Inventory (requires authentication):
Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

Keys/Salvage/COD Points (requires authentication):
Again, requires authentication and also doesn't support BO3.
GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

Purchasing Supply Drop (requires authentication):
This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

Opening Supply Drop (requires authentication):
Again, I've only tested this with common crates.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!

The following 5 users say thank you to Tustin for this useful post:

AppaTroix, Cbuf_AddText, Hydrogen, Norway-_-1999, Playstation VR
09-23-2017, 04:36 PM #2
Originally posted by Tustin View Post
Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

Resources:

API URLs:
IW: You must login or register to view this content.
BO3: You must login or register to view this content.

Platform Identifiers (used for 'platform' parameter):
PSN - psn
Xbox Live - xbl
Steam - steam

Endpoints:

User Stats:
GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

Leaderboards:
GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

Quatermaster Inventory (requires authentication):
Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

Keys/Salvage/COD Points (requires authentication):
Again, requires authentication and also doesn't support BO3.
GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

Purchasing Supply Drop (requires authentication):
This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

Opening Supply Drop (requires authentication):
Again, I've only tested this with common crates.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!


You must login or register to view this content. hmm so Tustin never played Gorod? Sal
09-23-2017, 09:59 PM #3
Hydrogen
Super Mod
Originally posted by Tustin View Post
Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

Resources:

API URLs:
IW: You must login or register to view this content.
BO3: You must login or register to view this content.

Platform Identifiers (used for 'platform' parameter):
PSN - psn
Xbox Live - xbl
Steam - steam

Endpoints:

User Stats:
GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

Leaderboards:
GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

Quatermaster Inventory (requires authentication):
Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

Keys/Salvage/COD Points (requires authentication):
Again, requires authentication and also doesn't support BO3.
GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

Purchasing Supply Drop (requires authentication):
This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

Opening Supply Drop (requires authentication):
Again, I've only tested this with common crates.
POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!


I'm going to take an educated guess, but are the c params

// Configuration Parameters?

I'm probably extra wrong, but it's worth a guess. Also, the authentication, I would throw my opinion over that, but I'm sure reversing the API and encryption authentication are probably two different things. I may be wrong as well so let me just stop here before I start rambling with non-sense. Drack

Furthermore, does this edit values inside of the games? or are they just used for data collection?
09-23-2017, 10:09 PM #4
Tustin
Balls of Steel
Originally posted by Frosty View Post
You must login or register to view this content. hmm so Tustin never played Gorod? Sal

I did, I even got to round 50 and beat the egg on that map. BO3 zombie stats seem to be off for some reason. I hacked together this site for IW zombies earlier this morning:
You must login or register to view this content.

The following user thanked Tustin for this useful post:

Frosty
09-23-2017, 10:16 PM #5
Tustin
Balls of Steel
Originally posted by Hydrogen View Post
I'm going to take an educated guess, but are the c params

// Configuration Parameters?

I'm probably extra wrong, but it's worth a guess. Also, the authentication, I would throw my opinion over that, but I'm sure reversing the API and encryption authentication are probably two different things. I may be wrong as well so let me just stop here before I start rambling with non-sense. Drack

Furthermore, does this edit values inside of the games? or are they just used for data collection?

Data collection mostly. I tried messing with a few things when it comes to buying supply drops but no dice. You can't edit your stats in any way using this.

The authentication part wouldn't be too hard. You can login with PSN using Sony's OAuth2 flow, which I've already reversed for my PSN API library. Alternatively, you can login with an Activision account which makes it easier depending on if they use any "gotchas" (CSRF tokens, Captcha, etc). I just haven't got around to looking into it yet.

The following user thanked Tustin for this useful post:

Hydrogen
09-23-2017, 10:44 PM #6
xNIGHTMAREM0DZx
NextGenUpdate Elite
interestin although being able to edit stats would be badass lets be honest
09-24-2017, 01:20 AM #7
I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem

Also others endpoints i found :

See the current weekly special deals in the supply drop market (doesn't need for an auth) :
You must login or register to view this content.

See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/

Also for the authentification you can just use your cookies and pass them,it works.

EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?
Last edited by Marbella ; 09-24-2017 at 02:07 AM.

The following user thanked Marbella for this useful post:

Tustin
09-24-2017, 02:37 AM #8
Tustin
Balls of Steel
Originally posted by Marbella View Post
I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem

Also others endpoints i found :

See the current weekly special deals in the supply drop market (doesn't need for an auth) :
You must login or register to view this content.

See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/

Also for the authentification you can just use your cookies and pass them,it works.

EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?

Weird, it gives an error about "no token". Could be a cache thing? Seems like a bad idea to cache something like that tho.
09-24-2017, 03:18 AM #9
Originally posted by Marbella View Post
I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem

Also others endpoints i found :

See the current weekly special deals in the supply drop market (doesn't need for an auth) :
You must login or register to view this content.

See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/

Also for the authentification you can just use your cookies and pass them,it works.

EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?


Same with Tustin, just says no token.
09-24-2017, 04:26 AM #10
Originally posted by Frosty View Post
Same with Tustin, just says no token.


It's strange,i made a little video :
You must login or register to view this content.

If i have my cookies & goes to the link,it work and even if i delete my cookies it work (but it shouldn't) it's the same for others links.
It last like 5 mins before i get the no token error.

Another detail,when you get currency or get inventory on IW,it work even if you don't pass unix time in url,like that :
https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/${plateform}/gamer/${profile}/currency/

EDIT : Another endpoint :
https://my.callofduty.com/api/papi-client/crm/cod/v2/title/iw/platform/psn/gamer/<PSN>/matches/days/7/
Example : You must login or register to view this content.

You can see latests matches of someone,it have some "interesting" stuff,i don't know why but it doesn't need any authentification and you can lookup for matches of anyone (even if on the app itself you can't)
Last edited by Marbella ; 09-24-2017 at 07:46 AM.

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo