Authentication

I'm struggling a bit with this as well. If I go to the bungie.net site and log in (in my browser), then open a new tab in the same browser and go to this URL, then it returns a bunch of data: http://www.bungie.net/Platform/Destiny/TigerPsn/Account/<my account id>/Character/<my character id>/Inventory/?lc=en&fmt=true&lcin=true&definitions=true If I go to this URL to get the non-public view of my inventory, I get a message with an authorisation error: http://www.bungie.net/Platform/Destiny/2/MyAccount/Character/<my character id>/Vendor/892630493/?lc=en&fmt=true&lcin=true&definitions=true error returned: {"ErrorCode":99,"ThrottleSeconds":0,"ErrorStatus":"WebAuthRequired","Message":"Please sign-in to continue.","MessageData":{}} What I don't get is if I'm already logged in in the browser and just opening a new tab, why is it saying I'm not signed in, do I need to specifically send that request with something set in the request headers?

At first, the CSRF protection really only is for POST data so you only need it if you want to actually do something beyond fetching data. You would probably need a headless browser to fetch the cookies from. I only know of QtWebkit but that might be a bit much. The basic steps you need to take are these: 1. Choose an Auth Strategy you want to use (FB/PSN/XBL, haven't yet gotten google to work) 2. Automate the login process on a headless browser using your favorite scripting language. Use http://www.bungie.net/de/User/SignIn/[AuthStrategy] to get a proper redirect. 3. Wait until you get back to the bungie signin page with a code or better, check for the bungleatk token (you'll need it). 4. Dump all the cookies from the browser, make sure that there is the bungleatk token. 5. Feed the cookies into a cookiejar and use it on subsequent requests in your favorite scripting language 6. Profit.