Reverse-Engineering an Undocumented API with Chrome DevTools

Some platforms ship comprehensive public APIs. Most don’t.

When I was asked to automate daily sales report exports for 5,461+ SKUs on a marketplace platform with zero public API, the official answer was: “you have to click the export button by hand every day.” That’s 45 minutes of human time, seven days a week, forever.

The unofficial answer was: the platform’s own dashboard uses an API. You just have to find it.

Step 1: Open DevTools, Do the Task Manually

Open Chrome DevTools (F12 or Cmd+Option+I), switch to the Network tab. Filter to XHR/Fetch. Now do the thing a human would do: click the export button on the dashboard.

Watch the Network tab light up. Every request the dashboard fires — that’s an API call. Most marketplaces’ internal APIs are just ordinary REST endpoints wrapped in cookie authentication.

Step 2: Find the Money Request

Look for the request that actually triggers the export. Usually it’s a POST to something like /api/export/trigger. The response will contain something like:

{ "code": 0, "data": { "processKey": "abc123xyz" } }

That processKeyis the golden ticket. It’s how you track the export job through the rest of the flow.

Step 3: Copy as cURL

Right-click the request → Copy → Copy as cURL. You now have the full request including headers, cookies, and body payload. Paste into a terminal. If it returns the same processKey, you’ve reproduced the auth flow.

Step 4: Build the Polling State Machine

Most async APIs work the same way:

1. POST to trigger the job → get a processKey.
2. Loop: POST to checkProcess with that key until the job is done.
3. GET the final URL to download the artifact.

In n8n, this becomes a loop node with a custom JavaScript Code block that:

• Extracts processKey from the trigger response
• Passes it into every iteration via named node reference
• Checks code === 1(completion in this platform’s contract)
• Bails out after 40 iterations (5 seconds each = 3:20 max)

Save the downloaded .xlsx to Google Drive. Schedule the whole thing for 08:00 daily. Done.

What to Watch For

Cookie expiry. Session cookies expire. Rebuild the auth flow if they refresh on a schedule the platform controls.

Rate limits.Private APIs often don’t document them. Monitor for 429s and add exponential backoff.

Response shape inconsistency. This particular platform returned code=0 for success on export-trigger but code=1for completion on poll. Read the actual responses in DevTools — don’t trust your intuition about what “success” looks like.

TOS review. Reverse-engineering someone’s private API can violate their terms of service. Read the ToS before shipping production. For client work on a platform with explicit rate limits, get written approval first.

When It’s Worth It

This approach saves hours of daily manual work for clients where a public API doesn’t exist. But it’s fragile — a UI redesign can break it overnight.

Rule of thumb: reverse-engineer when the manual work costs more than a monthly rebuild would, or when the data is genuinely locked behind no other path. Otherwise, lean on official APIs wherever they exist.

For the BIGSELLER workflow? It’s been running hands-off since day one. 5,461+ SKUs, reported daily. Zero manual clicks.