How I reverse-engineered an HR attendance API in 3 days

The office attendance system kept marking me late when I wasn't. That single annoyance turned into a multi-day reverse engineering exercise — and a daemon I ran for 18 months.

This post is the methodology, not the specific API. The methodology is portable: same approach works for crypto airdrops, internal dashboards, and most third-party SaaS without proper API access.

Step 1 — Watch before you touch

The first thing I do is open DevTools, switch to the Network tab, and actually use the application like a normal user. No code yet. Just clicking, scrolling, submitting forms.

I'm looking for three things: which endpoints are called, what order they're called in, and which calls actually carry the meaningful data versus the ones that are just analytics noise.

Step 2 — Capture the auth flow first

Auth is the hardest part of every API I've reverse-engineered. Get this wrong and nothing else matters. I always document the auth flow as a sequence of cURL commands first, before touching anything else.

Step 3 — Map the surface, not the depth

It's tempting to dive into one endpoint and figure out every parameter. Resist this. Walk the entire surface area first — login, list, detail, create, update, delete — even if you only need one of them. Patterns emerge that save you hours later.

What you actually need to ship

For the attendance bot, the final implementation was about 200 lines of Python. The reverse engineering took three days. The actual coding took an afternoon.

That ratio — investigation vs. implementation — is normal. If you feel like you're spending too much time reading network requests and not enough writing code, you're probably doing it right.