Have you ever purchased an IoT device, signed up for an application/service, or simply wanted to know how something worked, but were surprised when you found out that there was no documented API? First and foremost, I am taking a step back here from my traditional security practitioner position. Meaning, I am not talking about looking for admin-level or super secret root services; instead, I am merely talking about trying to figure out how an application or device works so that you can interface with it. You may have heard of IFTTT or Apple’s Shortcuts App; this post is about how you can start the process of creating your own integrations, even if the API isn’t officially supported. Another word of caution though, any time you integrate with an undocumented, unsupported API, you are opening yourself up to the possibility that the services/endpoints may change drastically with zero notice. This means your work may need to be tweaked, or may even be for naught. This is the risk you take when trying to hack your way into uncharted territory.