THREAD: Call of Duty API Endpoints
  1. 09-23-2017, 03:07 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,526
    Reputation
    May 2008
    NextGenUpdate
    Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: You must login or register to view this content.
    BO3: You must login or register to view this content.

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!
  2. The Following 5 Users Say Thank You to Tustin For This Useful Post:

    , , , ,

  3. 09-24-2017, 03:37 PM
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    9,038
    Posts
    85,761
    Reputation
    Dec 2011
    NextGenUpdate
    Originally Posted by Marbella View Post
    It's strange,i made a little video :
    You must login or register to view this content.

    If i have my cookies & goes to the link,it work and even if i delete my cookies it work (but it shouldn't) it's the same for others links.
    It last like 5 mins before i get the no token error.

    Another detail,when you get currency or get inventory on IW,it work even if you don't pass unix time in url,like that :
    https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/${plateform}/gamer/${profile}/currency/

    EDIT : Another endpoint :
    https://my.callofduty.com/api/papi-client/crm/cod/v2/title/iw/platform/psn/gamer/<PSN>/matches/days/7/Example : You must login or register to view this content.

    You can see latests matches of someone,it have some "interesting" stuff,i don't know why but it doesn't need any authentification and you can lookup for matches of anyone (even if on the app itself you can't)


    Would be interesting if there's a way to write, instead of it being read-only. Imagine the hilarity of being able to edit BO3/IW stats through their their own website.
  4. 09-24-2017, 03:39 PM
    SC58's Avatar
    SC58
    Former Staff
    SC58's Avatar
    SC58
    Former Staff
    4,467
    Posts
    119,223
    Reputation
    Sep 2012
    NextGenUpdate
    you could also strip the server stuff out of the game to make a api to edit anyone stats without having to be on the game but something like this should never see the light of day
  5. 09-24-2017, 03:40 PM
    SC58's Avatar
    SC58
    Former Staff
    SC58's Avatar
    SC58
    Former Staff
    4,467
    Posts
    119,223
    Reputation
    Sep 2012
    NextGenUpdate
    Originally Posted by SC58 View Post
    you could also strip the server stuff out of the game to make a api to edit anyone stats without having to be on the game but something like this should never see the light of day


    Originally Posted by Frosty View Post
    Would be interesting if there's a way to write, instead of it being read-only. Imagine the hilarity of being able to edit BO3/IW stats through their their own website.


    you could do this on all cods
  6. The Following User Thanked SC58 For This Useful Post:


  7. 09-24-2017, 04:40 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,526
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by SC58 View Post
    you could also strip the server stuff out of the game to make a api to edit anyone stats without having to be on the game but something like this should never see the light of day

    It's difficult because they almost certainly cert pin the exe so you can't just sniff the requests. You could always try to disable it so it uses certificates from the Windows certificate store but the server may just reject those requests. Hell they might not use HTTP(S) at all for that kind of stuff. I haven't really looked into it for COD.

    Of course, you could always just view the API endpoints in the exe itself but trying to map out request and response parameters in assembly is a pain in the ass.
  8. The Following User Thanked Tustin For This Useful Post:


  9. 09-24-2017, 06:22 PM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    Originally Posted by Tustin View Post
    It's difficult because they almost certainly cert pin the exe so you can't just sniff the requests. You could always try to disable it so it uses certificates from the Windows certificate store but the server may just reject those requests. Hell they might not use HTTP(S) at all for that kind of stuff. I haven't really looked into it for COD.

    Of course, you could always just view the API endpoints in the exe itself but trying to map out request and response parameters in assembly is a pain in the ass.


    Honestly,i'm a begineer in coding and i have already tried to look into a CoD eboot.elf and i don't see anything for an API. But i have looked into an 1.76 PS4 dump and there is an API who you can reverse (it's not CoD related but i think there would be some fun things to do with it)
  10. 09-24-2017, 10:04 PM
    SC58's Avatar
    SC58
    Former Staff
    SC58's Avatar
    SC58
    Former Staff
    4,467
    Posts
    119,223
    Reputation
    Sep 2012
    NextGenUpdate
    Originally Posted by Tustin View Post
    It's difficult because they almost certainly cert pin the exe so you can't just sniff the requests. You could always try to disable it so it uses certificates from the Windows certificate store but the server may just reject those requests. Hell they might not use HTTP(S) at all for that kind of stuff. I haven't really looked into it for COD.

    Of course, you could always just view the API endpoints in the exe itself but trying to map out request and response parameters in assembly is a pain in the ass.


    yeah it would be alot of work to go abouts doing it
  11. 09-28-2017, 10:18 PM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    A little news : there is also an API for groups in BO3 :
    You must login or register to view this content.

    Endpoints :

    (All of these need auth)

    See user currents groups :
    https://www.callofduty.com/api/sso/cod/title/${plateform}/psn/user/teams
    Ex : You must login or register to view this content.

    See current user invitations :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/invitations/incoming
    Ex : You must login or register to view this content.

    See current user guilds "applications" :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/applications
    Ex : You must login or register to view this content.

    View group infos :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}
    Ex : You must login or register to view this content.

    View group members :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/members
    Ex : You must login or register to view this content.

    View group bannedmembers :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/bans
    Ex : You must login or register to view this content.

    "Interesting" fact,the website do some request to an "AW" api even if it's BO3,the url is :
    You must login or register to view this content.
    But since i don't have AW i can't reverse it more.

    There is more to reverse (like group management etc..) but i will do it later maybe.

    Another "interesting" fact,i think you can create groups with color in their name since you can post things like "^5test",can't test atm since my PS4 is in another room.

    EDIT : Yeah you can put color in group names
    You must login or register to view this content.

    Maybe you can put other things like checkboard or PSN symbols. You can't do that in game i tried, "^" is an illegal caracter.

    EDIT 2 : Tried something lol ;
    You must login or register to view this content.
    Last edited by Marbella ; 09-28-2017 at 11:12 PM.

  12. The Following 3 Users Say Thank You to Marbella For This Useful Post:

    , ,

  13. 09-29-2017, 12:35 AM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,462
    Posts
    310,526
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Marbella View Post
    A little news : there is also an API for groups in BO3 :
    You must login or register to view this content.

    Endpoints :

    (All of these need auth)

    See user currents groups :
    https://www.callofduty.com/api/sso/cod/title/${plateform}/psn/user/teams
    Ex : You must login or register to view this content.

    See current user invitations :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/invitations/incoming
    Ex : You must login or register to view this content.

    See current user guilds "applications" :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/applications
    Ex : You must login or register to view this content.

    View group infos :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}
    Ex : You must login or register to view this content.

    View group members :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/members
    Ex : You must login or register to view this content.

    View group bannedmembers :
    https://www.callofduty.com/api/sso/cod/title/bo3/${plateform}/teams/${groupId}/bans
    Ex : You must login or register to view this content.

    "Interesting" fact,the website do some request to an "AW" api even if it's BO3,the url is :
    You must login or register to view this content.
    But since i don't have AW i can't reverse it more.

    There is more to reverse (like group management etc..) but i will do it later maybe.

    Another "interesting" fact,i think you can create groups with color in their name since you can post things like "^5test",can't test atm since my PS4 is in another room.

    EDIT : Yeah you can put color in group names
    You must login or register to view this content.

    Maybe you can put other things like checkboard or PSN symbols. You can't do that in game i tried, "^" is an illegal caracter.

    EDIT 2 : Tried something lol ;
    You must login or register to view this content.


    Haha nice find man! You should make a separate thread with a full tutorial for doing it.
  14. The Following 2 Users Say Thank You to Tustin For This Useful Post:

    ,

  15. 09-29-2017, 06:07 AM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    Originally Posted by Tustin View Post
    Haha nice find man! You should make a separate thread with a full tutorial for doing it.


    I will make one tomorrow. Smile

    Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
    So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

    The first real group is this one :
    You must login or register to view this content.

    Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
    You must login or register to view this content.

    It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
    So i wrote some code who test for the first 100 groups id here it is :

    let request = require("request");
    let interval = 1 * 500; // Lowing the interval can get you ip banned

    for (i = 0; i < 100; i++) {
    setTimeout(function (i) {
    console.log("trying on " + i);
    // I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
    request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/"+ i + "/members", function (err, resp, body) {
    if (body !== "") {
    console.log(resp.request.uri.href);
    }
    });
    }, interval * i, i);;
    }



    Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

    And here is the three dev group i found,i think the other one was deleted during game developpement :
    You must login or register to view this content.
    You must login or register to view this content.
    You must login or register to view this content.

    You can see only two PSN :
    mendicantca
    QAMLIVE042ps

    They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.
    Last edited by Marbella ; 09-29-2017 at 06:17 AM.