In the months since, guests have had a lot of fun with it and it’s been awesome seeing occasional surprise memories from friends pop up. That said, building that integration wasn’t the most straightforward task. I documented the journey (and failures) I took to arrive at the ultimate solution, with the intention of illustrating that reverse engineering is largely about persistence, and full of surprises. Most notably, I did not expect to encounter a dynamically generated virtual machine that generates and injects the headers required to validate authentication requests.
Update: Since posting, folks have noted this exact same technology is in use at Nordstrom (
https://www.nordstrom.com/mwp/integration/ns_common.js?async) and Target (
https://assets.targetimg1.com/ssx/ssx.mod.js). The solution appears to be Shape Security.