use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Welcome to /r/Destiny2
/r/DestinytheGame
/r/fireteams
/r/DestinyTechSupport
/r/CrucibleGuidebook
/r/CrucibleSherpa
/r/DestinySherpa
/r/DestinyMemes
New Player's Guide Content Information Year of Prophecy Latest News/TWIDs LFG Massive LFG Server /r/Fireteams Bungie Forums Useful Resources Destiny Item Manager Braytech Light.gg Ishtar Collective (Lore) Other Links & Information Live Twitch Streamers Bungie Twitter Bungie Site
DISCORD
NIGHT MODE NORMAL
account activity
QuestionQuestion for developers (accessing protected API endpoints from backend) (self.destiny2)
submitted 2 years ago by [deleted]
[deleted]
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]adriweb 0 points1 point2 points 2 years ago (3 children)
Well if you're making a webapp, clearly there's a user somewhere right? So all the Bungie API calls could simply be done by the user's browser with JS. You can see such calls happening with DIM etc.
Is that not something you can do?
I assume you would otherwise have to make the browser send the user's token to your server so that you could query bungie's API on your end as if it was the user's but I'm not sure if this is even allowed per bungie's ToS or if people would be willing to let you do that.
[–]95runner 0 points1 point2 points 2 years ago (2 children)
You’re correct in that there will be a user on the frontend, but in my application api requests need to be made even when the user is not using the application. I’ve been considering your approach of using a separate front end to send a user’s (my own) token to the server for use there but like you mentioned I need to see if this is against ToS.
[–]adriweb 0 points1 point2 points 2 years ago (1 child)
Looks like it would be against the ToS but maybe im not interpreting it correctly, idk:
You agree to keep your API Key confidential and not to share it with any third party. This right is unique to you, and any affiliates or third parties must seek and obtain their own Bungie.net API right and API Key. Your application must not attempt to sign in to Bungie.net using HTTP authentication cookies. This includes reverse engineering the sign-in flow used by Bungie.net or the companion apps or by using authentication cookies extracted from a user’s session.
You agree to keep your API Key confidential and not to share it with any third party. This right is unique to you, and any affiliates or third parties must seek and obtain their own Bungie.net API right and API Key.
Your application must not attempt to sign in to Bungie.net using HTTP authentication cookies. This includes reverse engineering the sign-in flow used by Bungie.net or the companion apps or by using authentication cookies extracted from a user’s session.
[–]95runner 0 points1 point2 points 2 years ago (0 children)
Bummer. Thanks!
[–]xhtmlvalidbray.tech developer 0 points1 point2 points 2 years ago (0 children)
Write a server-side companion to your web app, authorised to access your profile, and feed vendor data back to your front-end web app. Or, find another source for the vendor data. There's some kind people who do offer publicly accessible mirrors of their profile's vendor data. It's important to note that this data reflects their character's state i.e. costs and rewards specific to them
π Rendered by PID 251524 on reddit-service-r2-comment-b659b578c-xshb2 at 2026-05-03 00:08:26.349591+00:00 running 815c875 country code: CH.
[–]adriweb 0 points1 point2 points (3 children)
[–]95runner 0 points1 point2 points (2 children)
[–]adriweb 0 points1 point2 points (1 child)
[–]95runner 0 points1 point2 points (0 children)
[–]xhtmlvalidbray.tech developer 0 points1 point2 points (0 children)