User Agent sniffing and Code Combat API


Is there a reason why requests with a User-Agent header of “Python-urllib/3.4” get an HTTP 403 Forbidden response?

In addition, is there any documentation on how to use CodeCombat’s web API?


All requests need to have an associated user, basically. You can do this simply by going to /auth/whoami and you’ll be assigned an anonymous user object and a cookie for your session.

There is no documentation, the server is a bit of a mess and subject to changes but it’s basically a standard crud organization. /db/<collection name>/<slug or id>, with post, get, put and patch. Collection names are things like user, level, level.session, level.component, level.system, etc. You can also get json schemas describing the data structures from /db/<collection name>/schema. Many collections are versioned and can only be posted to (no overwriting of old versions with put).

Those are the basics. Is there anything in particular you’re wondering about?


I already knew about needing to get the session cookie, as I worked around the User Agent issue by simply spoofing the header to look like my browser. I wrote a quick and messy script which displays the top ten players for Criss Cross.

Note in particular that I spoof the User Agent field on every request. If I remove that on any of the three requests, I get an HTTP 403, whereas making the request without the session cookie results in an HTTP 401.

As for the API, so far I’m figuring out how to use it by looking at the requests made by the main Code Combat web app. There isn’t anything particular at the moment, but perhaps I’ll ask about something else in the future.