Authentication information to hit the API from scripts that require a Scrapbox login

Authentication information is set in the cookie while logged in with a browser. Use this.

This cookie is Secure and HttpOnly, so it is not known by looking at document.cookie.

To prevent cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API

With Chrome Devtools, you can see it here.

  • image

Specifically, the name “connect.sid” contains authentication information. For example, when calling the API with requests, you can pass it as a cookie. python

cookies={"connect.sid": "..."}
r = requests.get("https://scrapbox.io/api/pages/...", cookies=cookies) 

We need to be careful not to leak this information.

  • If you leaked it, you can reset it by logging out and logging back in.

This page is auto-translated from /nishio/connect.sid using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I’m very happy to spread my thought to non-Japanese readers.