Accessing VSCO's API - by @notlilj

VSCO is a popular photo sharing app. It has a public* API that allows you to access photos and videos from the app. While not fully intended for use by anyone, it has a public key that does not expire, and is global - meaning anyone can access it without limitations.

The main flaw in the security of VSCO's API is within their authentication. The API key is a bearer token. It is not unique, is not tied to a specific user, and does not expire. This means that anyone can use it for any use, and it will not be revoked.

*while public, it is important to note that it should only be used for educational use only. VSCO's terms of service forbids using their services for commercial purposes.

1) Retrieve your VSCO Site ID

To access the API, you need to know your VSCO site ID. This is a unique identifier that is assigned to each user.

GET

https://vsco.co/api/2.0/sites?subdomain=your-username

'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization' : 'Bearer 7356455548d0a1d886db010883388d08be84d0c9'

2) Use your site ID for fetching your photos

From your gallery

GET

https://vsco.co/api/3.0/medias/profile?site_id=siteId&limit=14&cursor=

'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization' : 'Bearer 7356455548d0a1d886db010883388d08be84d0c9'

From your journal

GET

https://vsco.co/api/3.0/medias/articles?site_id=siteId&page=1&size=12

'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization' : 'Bearer 7356455548d0a1d886db010883388d08be84d0c9'

From your reposts

GET

https://vsco.co/api/3.0/medias/reposts?site_id=siteId&page=1&size=20

'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization' : 'Bearer 7356455548d0a1d886db010883388d08be84d0c9'