Snapchat Disclosure

Full disclosure on Snapchat's /ph/ and /bq/ endpoints can be found on gibsonsec.org.

Note: this documentation is incomplete and will constantly be updated.

This disclosure will consist of the latest endpoints (/loq/).

Each request to Snapchat's API needs to integrate a request token which is generated with the auth token. I won't discuss how this is generated as gibsonsec provide documentation.

Encryption and decryption of snaps and stories are also discussed on gibsonsec.

Notes

Common fields

Registering an account

Registering

Adding a username

Logging in

Notes

Wherever you see `[...]` it means I've cut out a portion of the text because it was unnecessarily long.

I will also generally only highlight important fields to make them stand out.

Common fields

The following table is a list of common fields you will encounter with Snapchat's API.

Name	Type	Details
username	string	the username of the account
req_token	string	a token sent with requests to authenticate them
auth_token	string	a token used to generate a req_token
logged	boolean	indicates whether a request was successful or not

Registering an account

Registering (/loq/register)

{
    'age': 19,
    'birthday': '1996-01-21',
    'dsig': 'd56e1a29cdcd6b0924cf',
    'dtoken1i': '00001:VQIoDibzT8+2qcsnsP[...]',
    'email': 'john@example.com',
    'password': 'password',
}

Name	Type	Details
age	integer	the age of the user
birthday	string	the birthday of the user (YYYY-MM-DD)
dsig	string	see dsig
dtoken1i	string	see dtoken1i
email	string	the email tied to the account
password	string	the account's password

If the request was successful, the response will be as follows:

{
    'should_send_text_to_verify_number': False,
    'auth_token': 'fc9b7223e1c5ddbe93b790966a24aa82',
    'snapchat_phone_number': '+447937985869',
    'email': 'john@example.com',
    'logged': True
}

Name	Type	Details
should_send_text_to_verify_number	string	self explanatory
auth_token	string	see common fields
snapchat_phone_number	string	the number to send a text to to verify your number
email	string	the email tied to the account
logged	boolean	see common fields

If the request was unsuccessful, the response will be as follows:

{
    'status': 000,
    'message': 'Response message.',
    'logged': True
}

Name	Type	Details
status	string	the status code of the response (changes depending on the message)
message	string	the error message (usually indicates invalid email/username)
logged	boolean	see common fields

Adding a username (/loq/register_username)

{
    'username': 'john@example.com',
    'selected_username': 'fake_username'
}

Name	Type	Details
username	string	the email address of the user
selected_username	string	the username to be assigned

If the request was successful, the response will be identical to the one returned when logging in.

Logging into an account (/loq/login)

{
    'username': 'username',
    'password': 'password',
    'ptoken': 'APA91bHwso2xcvtzbZDLCdIMHKOoBu[...],
    'dtoken1i': '00001:EAT2SUMtQjG32nmLN04c4EcQXE6eNi[...],
    'dsig': 'd56e1a29cdcd6b0924cf',
}

Name	Type	Details
username	string	the account's username
password	string	the account's password
ptoken	string	see ptoken
dsig	string	see dsig
dtoken1i	string	see dtoken1i

If the request was successful, the response will be as follows:

{
    'conversations_response': [{}],
    'stories_response': {},
    'updates_response': {},
    'friends_response': {},
    'messaging_gateway_info': {},
    'background_fetch_secret_key': ''
}

The response when logging in is composed of 6 different parts (as seen above).

Conversations response

[{
    'last_interaction_ts': 1425486251999L,
    'pending_chats_for': [],
    'last_chat_actions': {
            'last_write_timestamp': 1425486251999L,
            'last_reader': 'fake_username1',
            'last_write_type': 'text',
            'last_writer': 'fake_username2',
            'last_read_timestamp': 1425486376783L
    },
    'pending_received_snaps': [],
    'conversation_messages': {
        'messaging_auth': {
            'mac': 'FJNXMPvslXEXWkRA0PUFOclOb219sFjhzgDyYbAx[...]',
            'payload': 'eyJ1c2VybmFtZSI6ImdoY29sbGVnZSIsImNv[...]'
        },
        'messages': [{
            'chat_message': {
                'body': {
                    'text': 'test message',
                    'type': 'text'
                },
                'chat_message_id': 'a6647952-0fec-4dc8-9be4-7f65405f775e',
                'seq_num': 183,
                'timestamp': 1425149750981L,
                'saved_state': {
                    'fake_username2': {
                        'version': 1,
                        'saved': True
                    }
                },
                'header': {
                    'to': ['fake_username2'],
                    'from': 'fake_username1',
                    'conv_id': 'fake_username1~fake_username2'
                },
                'type': 'chat_message',
                'id': 'cef3186b-5efe-4ff2-b292-3691e93f7800'
            },
            'iter_token': '{"fake_username1":183}~{}'
        }],
    },
    'iter_token': '1425486251999~fake_username2~fake_username1',
    'conversation_state': {
        'user_sequences': {
            'fake_username2': 68,
            'fake_username1': 235
        },
        'user_chat_releases': {
            'fake_username2': {
                'fake_username2': 68,
                'fake_username1': 235
            },
            'fake_username1': {
                'fake_username2': 68,
                'fake_username1': 235
            }
        },
    },
    'participants': ['fake_username2', 'fake_username1'],
    'id': 'fake_username2~fake_username1',
    'last_snap': {
        'c_id': 'FAKE_USERNAME1~1B8825F6-85F1-4DA52[...]',
        'rp': 'fake_username2',
        'm': 0,
        'ts': 1425134648000L,
        'st': 2,
        'sts': 1425134626427L,
        'id': '666812425134626427s'
    }
}]

Name	Type	Details
last_interaction_ts	long	timestamp of the last interaction
pending_chats_for	list	see pending_chats_for
last_chat_actions	dict	see last_chat_actions
pending_received_snaps	list	see pending_received_snaps
conversation_messages	dict	see conversation_messages
participants	list	list of participants in the chat
id	string	id of the chat
last_snap	dict	see last_snap

Snapchat Disclosure

Full disclosure on Snapchat's /ph/ and /bq/ endpoints can be found on gibsonsec.org.

Note: this documentation is incomplete and will constantly be updated.

Notes

Wherever you see [...] it means I've cut out a portion of the text because it was unnecessarily long.

I will also generally only highlight important fields to make them stand out.

Common fields

The following table is a list of common fields you will encounter with Snapchat's API.

Registering an account

Registering (/loq/register)

If the request was successful, the response will be as follows:

If the request was unsuccessful, the response will be as follows:

Adding a username (/loq/register_username)

If the request was successful, the response will be identical to the one returned when logging in.

Logging into an account (/loq/login)

If the request was successful, the response will be as follows:

The response when logging in is composed of 6 different parts (as seen above).

Conversations response

Wherever you see `[...]` it means I've cut out a portion of the text because it was unnecessarily long.