Appreciate!
The signature and session-validation aspect was definitely part of the investigation. What made this case particularly interesting was that multiple child APIs returning detailed records were already identifiable and functional once valid internal identifiers were available.
The bigger challenge was understanding the parent search architecture responsible for generating those identifiers in the first place. While the child APIs were visible through network traffic, the search workflow that produced the identifiers remained much harder to trace and isolate.
That's what made the exercise interesting from an API discovery perspective. The challenge wasn't only request validation, but also understanding how the search layer connected (href links) to the downstream record-level APIs.
That signature issue you ran into probably boils down to figuring out whether those parameters are cryptographically tied to your session or just derived from something predictable like a timestamp. That one detail makes a huge difference - it tells you whether cracking the signature is actually feasible or whether you're better off just spinning up browser automation and calling it a day. If you want to level up your architecture discovery game, start by explicitly mapping out where each parameter actually comes from like hardcoded stuff, session-derived, generated on the fly, whatever, right at the jump - that's honestly the difference between wrapping this up in a few hours versus drowning in it for weeks. This whole pattern is basically the industry standard now, especially in healthcare, fintech, and government systems where they're paranoid, rightfully so, about security