VSCO is a popular photo sharing app. It has a public* API that allows you to access photos and videos from the app. While not fully intended for use by anyone, it has a public key that does not expire, and is global - meaning anyone can access it without limitations.
The main flaw in the security of VSCO's API is within their authentication. The API key is a bearer token. It is not unique, is not tied to a specific user, and does not expire. This means that anyone can use it for any use, and it will not be revoked.
To access the API, you need to know your VSCO site ID. This is a unique identifier that is assigned to each user.
GET
https://vsco.co/api/2.0/sites?subdomain=your-username
GET
https://vsco.co/api/3.0/medias/profile?site_id=siteId&limit=14&cursor=
GET
https://vsco.co/api/3.0/medias/articles?site_id=siteId&page=1&size=12
GET
https://vsco.co/api/3.0/medias/reposts?site_id=siteId&page=1&size=20