To everyone criticizing this project, you should probably dig a bit to find out what's the context of this project.

From the integuru page:

> We build integrations with platforms lacking official APIs. We specialize in low-latency integrations via reverse-engineering. All integrations are open-source.

So these warnings are probably wasted on someone that is very much aware of what he is doing.

TIL Venmo uses GraphQL.

It's interesting to note, too, that the current Venmo website posts to https://account.venmo.com/api/eligibility to get a token and then separately to https://account.venmo.com/api/payments to perform the actual payment. Those endpoints and shapes are different than what's in the script, which posts to https://api.venmo.com/v1/payments (https://github.com/Integuru-AI/Venmo-Unofficial-API/blob/a28...). I wonder if the v1 API is an older one used for some other service (the mobile app, maybe?).

Thanks for sharing, OP.

This will not end well.

If someone with millions or billions of dollars doesn’t have an official API after operating for years, that’s because they don’t want to have one. You may receive a Cease and Desist letter, or they might block your IPs, or just scramble their markup in ways that are hard to figure out. Whatever their approach, they likely have more money and manpower to throw at stopping you than you have to evade them, especially if you’re doing this to multiple large and powerful companies.

Fintech and unofficial API are two things I wouldn’t consider using at best and at worst extremely risky and possibly can get you into trouble .

Former Venmo here.

PayPal Legal is going to love this

What happens if they require 2FA via SMS or an Authenticator app to log in? Can you indefinitely refresh auth?

Look awesome! How do you get a bearer token? And did you look into authing transactions for other users?

works until it doesn't

The negativity is shocking. This is HACKER News. Elegant workarounds of limitations are usually celebrated.

IMO, this should be standard procedure. If you don't want to provide the means to build greater things off of your product, expect that others will. It's a bit ironic, given that they're using open source libraries to build their product.

This is actually dangerous.

This is how you see spammers, scammers and grifters target people with fake bots on most platforms and the producer i.e. Venmo traces it to an SDK and will kill all these unofficial API consumers.

And once captchas are introduced it's over, I wouldn't be surprised if stuff like captchas would be implemented more into websites to stop scrapers for good.