THREAD: Call of Duty API Endpoints
  1. 09-23-2017, 03:07 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,458
    Posts
    310,386
    Reputation
    May 2008
    NextGenUpdate
    Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: You must login or register to view this content.
    BO3: You must login or register to view this content.

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!
  2. The Following 5 Users Say Thank You to Tustin For This Useful Post:

    , , , ,

  3. 09-23-2017, 04:36 PM
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    9,005
    Posts
    84,461
    Reputation
    Dec 2011
    NextGenUpdate
    Originally Posted by Tustin View Post
    Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: You must login or register to view this content.
    BO3: You must login or register to view this content.

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!


    You must login or register to view this content. hmm so Tustin never played Gorod? Sal
  4. 09-23-2017, 09:59 PM
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    Hydrogen's Avatar
    Hydrogen
    Super Mod
    5,370
    Posts
    91,410
    Reputation
    Aug 2015
    NextGenUpdate
    Originally Posted by Tustin View Post
    Recently, Activision You must login or register to view this content.. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: You must login or register to view this content.
    BO3: You must login or register to view this content.

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!


    I'm going to take an educated guess, but are the c params

    // Configuration Parameters?

    I'm probably extra wrong, but it's worth a guess. Also, the authentication, I would throw my opinion over that, but I'm sure reversing the API and encryption authentication are probably two different things. I may be wrong as well so let me just stop here before I start rambling with non-sense. Drack

    Furthermore, does this edit values inside of the games? or are they just used for data collection?
  5. 09-23-2017, 10:09 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,458
    Posts
    310,386
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Frosty View Post
    You must login or register to view this content. hmm so Tustin never played Gorod? Sal

    I did, I even got to round 50 and beat the egg on that map. BO3 zombie stats seem to be off for some reason. I hacked together this site for IW zombies earlier this morning:
    You must login or register to view this content.
  6. The Following User Thanked Tustin For This Useful Post:


  7. 09-23-2017, 10:16 PM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,458
    Posts
    310,386
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Hydrogen View Post
    I'm going to take an educated guess, but are the c params

    // Configuration Parameters?

    I'm probably extra wrong, but it's worth a guess. Also, the authentication, I would throw my opinion over that, but I'm sure reversing the API and encryption authentication are probably two different things. I may be wrong as well so let me just stop here before I start rambling with non-sense. Drack

    Furthermore, does this edit values inside of the games? or are they just used for data collection?

    Data collection mostly. I tried messing with a few things when it comes to buying supply drops but no dice. You can't edit your stats in any way using this.

    The authentication part wouldn't be too hard. You can login with PSN using Sony's OAuth2 flow, which I've already reversed for my PSN API library. Alternatively, you can login with an Activision account which makes it easier depending on if they use any "gotchas" (CSRF tokens, Captcha, etc). I just haven't got around to looking into it yet.
  8. The Following User Thanked Tustin For This Useful Post:


  9. 09-23-2017, 10:44 PM
    xNIGHTMAREM0DZx's Avatar
    xNIGHTMAREM0DZx
    NextGenUpdate Elite
    xNIGHTMAREM0DZx's Avatar
    xNIGHTMAREM0DZx
    NextGenUpdate Elite
    2,090
    Posts
    5,025
    Reputation
    Jan 2013
    NextGenUpdate
    interestin although being able to edit stats would be badass lets be honest
  10. 09-24-2017, 01:20 AM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
    https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem
    Also others endpoints i found :

    See the current weekly special deals in the supply drop market (doesn't need for an auth) :
    You must login or register to view this content.

    See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
    https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/
    Also for the authentification you can just use your cookies and pass them,it works.

    EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?
    Last edited by Marbella ; 09-24-2017 at 02:07 AM.

  11. The Following User Thanked Marbella For This Useful Post:


  12. 09-24-2017, 02:37 AM
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,458
    Posts
    310,386
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Marbella View Post
    I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
    https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem
    Also others endpoints i found :

    See the current weekly special deals in the supply drop market (doesn't need for an auth) :
    You must login or register to view this content.

    See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
    https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/
    Also for the authentification you can just use your cookies and pass them,it works.

    EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?

    Weird, it gives an error about "no token". Could be a cache thing? Seems like a bad idea to cache something like that tho.
  13. 09-24-2017, 03:18 AM
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    Frosty's Avatar
    Frosty
    <span style="background:url(http://i.imgur.com/HzdClzs.gif);font-weight:bold;color:white;">Olaf The Snowman</span>
    9,005
    Posts
    84,461
    Reputation
    Dec 2011
    NextGenUpdate
    Originally Posted by Marbella View Post
    I found a little difference when i searched for their API too,when i purchase a Common Crate i have "v1" in url (and not "v2") :
    https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/psn/gamer/<yourPsn>/item/CommonCrate/redeem
    Also others endpoints i found :

    See the current weekly special deals in the supply drop market (doesn't need for an auth) :
    You must login or register to view this content.

    See your current plateforms and game you played (just pass your ACT_SSO_COOKIE):
    https://my.callofduty.com/api/papi-client/crm/cod/v2/identities/<ACT_SSO_COOKIE>/
    Also for the authentification you can just use your cookies and pass them,it works.

    EDIT : There is something from (maybe a vulnerabilities on their side) if i visit this link : You must login or register to view this content. even on a fresh web browser without cookies,it give me my PSN and some infos even if i'm not logged in,maybe it only check for the IP ?


    Same with Tustin, just says no token.
  14. 09-24-2017, 04:26 AM
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    Originally Posted by Frosty View Post
    Same with Tustin, just says no token.


    It's strange,i made a little video :
    You must login or register to view this content.

    If i have my cookies & goes to the link,it work and even if i delete my cookies it work (but it shouldn't) it's the same for others links.
    It last like 5 mins before i get the no token error.

    Another detail,when you get currency or get inventory on IW,it work even if you don't pass unix time in url,like that :
    https://my.callofduty.com/api/papi-client/inventory/v1/title/iw/platform/${plateform}/gamer/${profile}/currency/

    EDIT : Another endpoint :
    https://my.callofduty.com/api/papi-client/crm/cod/v2/title/iw/platform/psn/gamer/<PSN>/matches/days/7/Example : You must login or register to view this content.

    You can see latests matches of someone,it have some "interesting" stuff,i don't know why but it doesn't need any authentification and you can lookup for matches of anyone (even if on the app itself you can't)
    Last edited by Marbella ; 09-24-2017 at 07:46 AM.