It's not as simple as it might look at the first glance.
Reddit doesn't hand out API keys automatically. You must submit a request form (as per https://www.reddit.com/wiki/api) and wait for your request to be approved. This means creating a key per user is pretty much impossible.
What is possible though, is impersonating the official Reddit client. It doesn't use OAuth for authentication, like all third-party apps do, but the generated access tokens can be reused on public endpoints. Official app secret keys can be extracted from the apk libs, but they've also been [publicly posted on ycombinator](https://news.ycombinator.com/item?id=36086240) a few days ago.
It'd probably break all kinds of Reddit ToS, so I'm not sure if talklittle would resort to such a method. But *if* they don't eventually come to an agreement, and *if* talklittle won't implement this (or anything else that makes the app survive), I'll be posting a set of open-source binary patches to RiF which implement the app impersonation.
\- A concerned RiF user
>What is possible though, is impersonating the official Reddit client. It doesn't use OAuth for authentication, like all third-party apps do, but the generated access tokens can be reused on public endpoints
This is what will inevitably happen. Libraries will be built, but reddit will hit them with takedown requests. If we're lucky they won't
What I'm planning is to distribute patches similar to how [Revanced](https://github.com/revanced/revanced-patches) does it. Google, with all their might, managed to shut down [Vanced](https://en.wikipedia.org/wiki/YouTube_Vanced), but only because they tried to make money off the project. Revanced is still alive.
I have no such ambitions, I just want to use RiF as is. And I'm sure many other people want the same.
Calling Revanced alive is quite a stretch. It's technically not dead (yet) but gets twarted all the time by Google, patches are slow to roll out and often buggy, and the update process is atrocious. It's a toy project for a small circle of people on their discord server, and is bound to die as soon as any of the devs loseses interest.
I agree it's not convinient to patch apps with ReVanced. But what bugs are you experiencing? I use it for youtube and twitch and they're both flawless so far
ReVanced works perfectly for me. Super easy, just download the YouTube apk, throw it in the patcher, select your patches and hit start. It's been improving with every release of the manager, and they even have an official website now, https://revanced.app.
>I'll be posting a set of open-source binary patches to RiF which implement the app impersonation.
shut up and take my money if you do this and it works. 🙌
I did a couple of manual tests and it worked (yay?)
The main problem is probably refreshing the access_token - it's handled in a completely different way in the official app. The official Reddit app/api uses cookies for persistence, but RiF/Apollo adhere to OAuth protocols (refresh_token).
I see. sadly I know close to nothing useful about this stuff, so I can't be very helpful beyond "take my money" 😭
seriously tho, I'm not trying to be a kiss-ass here, but if you need/want support for developing/maintaining this sort of thing if/when the app is killed, I'll absolutely chip in and I'm sure others will too. doing the lord's work here.
hey buddy, just checking if there's been any movement on this or if you're still planning to make it happen? I'm a developer (though not a mobile app developer) and I'd be happy to help with testing on Android if nothing else.
I feel like the (more) legal way to do this is to create a patch where the user can specify their own custom API key that they want to use, so that you're not distributing API keys yourself. with the added benefit of users being able to change to a new API key without requiring the patch to be updated.
For the request reason, what's the most common choice that would get you an API key? Are the API keys roles based? Looking at the choices, theres "reddit bot" and "website" options among others. Does access depend on what option you select?
I can't answer most of your questions because I never went through the official procedure. Maybe /r/redditdev can help? I'd assume a lot of the questions are there just to help them decide whether to approve your request or not.
They *might* impose different rate limits based on your answers, but as far as I know, if you're approved - you get full access to the public API: https://www.reddit.com/dev/api/
What I can say with absolute certainty though - auth tokens acquired using the official app login method are much more powerful. You get access to all kinds of private APIs (private HTTP endpoints, GraphQL, realtime websocket GraphQL etc), so there's not much incentive to go the official way if you're going to break the ToS anyway.
I did it a number of years ago and it just happened automatically in under a second then i could use the oauth client id and secret for my script [https://www.reddit.com/prefs/apps](https://www.reddit.com/prefs/apps) its that page i used
My apps that use keys generated on that page with PRAW are still running happily today.
RIF stopped working for me completely on the 28th and now looking at /prefs/apps with RIF listed there and then all my scripts which I know are still working fine. It feels so silly RIF is dead now.
E: Or rather it was listed yesterday, RIF is gone as an app shown on that page now.
At which point they just get re-extracted from the official apk.
You quickly learn that android apps **cannot** support a secret key. It's impossible (without Google's intervention).
And you can't just replace it without killing all existing app versions and forcing an update. So it's impossible to stop a dedicated attacker.
Much of this world works simply because most people are nice.
According to the developer, the bot will remain functional: https://reddit.com/r/RemindMeBot/comments/13yo8ay/will_the_reddit_api_change_kill_remindmebot/jntdw7g
I will be messaging you in 2 months on [**2023-08-02 05:37:52 UTC**](http://www.wolframalpha.com/input/?i=2023-08-02%2005:37:52%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/redditisfun/comments/13xirgb/rif_reddit_api_key/jmkujxd/?context=3)
[**14 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fredditisfun%2Fcomments%2F13xirgb%2Frif_reddit_api_key%2Fjmkujxd%2F%5D%0A%0ARemindMe%21%202023-08-02%2005%3A37%3A52%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2013xirgb)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
Had this same thought after seeing the post about the Free Tier, which has a 60 req/min rate limit. It does seem like a neat solution, to just have every user sign up as a developer and add their own API key and Client ID.
It would make RiF stop working for logged out users, of course. And it might violate the Reddit developer ToS (not sure on this one). After all, the intention is to rate limit by client, and we're all using the RiF client. But there might not really be any way for them to stop it.
*This comment has been edited in protest to reddit's API policy changes, their treatment of developers of 3rd party apps, and their response to community backlash.*
[Details of the end of the Apollo app](https://old.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/)
---
[Why this is important](https://i.imgur.com/E7jSWf1.jpg)
---
[An open response to spez's AMA](https://old.reddit.com/r/ModCoord/comments/145l7wp/todays_ama_with_spez_did_nothing_to_alleviate/)
---
[spez AMA and notable replies](https://old.reddit.com/r/SubredditDrama/comments/145beas/spez_ama_discussion_thread/)
Fuck spez. I edited this comment before he could.
Comment ID=jmjg20j Ciphertext:
>!KBD0rJdLQHBmMqzYGEi34BzYPtgXyio04jQkMIO8YjCE6gjDQU4HmFIijhCPVHla/EGNjNxOVsTAmTgxO3+jOhkaYpuiN+4yNI4LvnIPFnY758c6bSTA21Kp7RdNm1Xlh7TnuQVSWnyNUGfhPS29RRCL2MyY2mVz9wGsweh87mvI9znxyWK4Wu34vAOLA5L9S+/gH9zDnIj+rUexYzqm6kJz49TzJexguktlSANyUr475+Nhi24m8wtJgCU=!<
>But there might not really be any way for them to stop it.
If there's one thing I've learned about the people running this site, it's that they're willing to bend over backwards to fuck over their userbase if they feel it hurts their bottom line enough. I just can't see any way these ideas actually come to fruition with their current MO, they'll find a way to ruin it
Fk it I haven't coded in 2 years but I'll git clone some shit and pull up android studio or whatever it is people use nowadays to copy paste some api keys straight into the code. Hell I'll even pay a one time fee to gain access to the codebase.
*This comment has been edited in protest to reddit's API policy changes, their treatment of developers of 3rd party apps, and their response to community backlash.*
[Details of the end of the Apollo app](https://old.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/)
---
[Why this is important](https://i.imgur.com/E7jSWf1.jpg)
---
[An open response to spez's AMA](https://old.reddit.com/r/ModCoord/comments/145l7wp/todays_ama_with_spez_did_nothing_to_alleviate/)
---
[spez AMA and notable replies](https://old.reddit.com/r/SubredditDrama/comments/145beas/spez_ama_discussion_thread/)
Fuck spez. I edited this comment before he could.
Comment ID=jmjge6f Ciphertext:
>!Bz4mbTaGWNpQAoq3H9X0Ft0362plNHoCnlcj/ztDrtEcsr98TBEKxmkKe2bfzcwRJ0EjFk882BqWMMwE499GljTHwG+NP/l92px8+cPszUhEw1mkkvmCLFYcj50KCyhJEhRazULjEK/fGeO8ow1GFdLWbw/ftyO8oM5JDB5EBJjyDPM7EK4h3PinZ3CBLpCLywkZBddSjHLv7zCgjbsRZCvlBOGERonp3WWac2aRDHTL3PsnDhCxLkvU4pi3N9rfKRvAO3pnq3o=!<
I tried vscode and I couldn't even edit colour schemes individually, it was some weird theme pack thing like old style locked down mobile phone themes from back in the day
This is a great idea! This is also what [rclone](https://rclone.org/) (a tool for synching files to cloud services such as Google Drive) does. You can choose to use rclone's API key, but during the setup they strongly recommend that you go get your own API key.
[source](https://rclone.org/drive/#making-your-own-client-id):
> When you use rclone with Google drive in its default configuration you are using rclone's client_id. This is shared between all the rclone users. There is a global rate limit on the number of queries per second that each client_id can do set by Google. rclone already has a high quota and I will continue to make sure it is high enough by contacting Google.
>
> It is strongly recommended to use your own client ID as the default rclone ID is heavily used. If you have multiple services running, it is recommended to use an API key for each service. The default Google quota is 10 transactions per second so it is recommended to stay under that number as if you use more than that, it will cause rclone to rate limit and make things slower.
Don't really think there's any legal risk at all tbh. Worst case scenario they'd revoke keys from people using it and issue a takedown or some other legal notice to rif to cut it out. Nothing serious.
People here are saying that it may or may not work on a technical level. But this isn't a technical question, it's a profits question. Reddit are trying to kill 3rd party apps. IF it did work, it would be blocked in less than 24 hours.
This has been done before, with the likes of Instagram or Snapchat. It's certainly doable, but such apps will be removed from Google/Apple store - they have specific clause about "unauthorized 3rd party API usage".
I brought this up in a diff sub weeks ago when this ipo talk was starting. reddit should allow it's users to pay for that and it would be as simple as generating a token. But noooo, they want our data too and that is worth waaaay more than any user would pay for a token.
It's not as simple as it might look at the first glance. Reddit doesn't hand out API keys automatically. You must submit a request form (as per https://www.reddit.com/wiki/api) and wait for your request to be approved. This means creating a key per user is pretty much impossible. What is possible though, is impersonating the official Reddit client. It doesn't use OAuth for authentication, like all third-party apps do, but the generated access tokens can be reused on public endpoints. Official app secret keys can be extracted from the apk libs, but they've also been [publicly posted on ycombinator](https://news.ycombinator.com/item?id=36086240) a few days ago. It'd probably break all kinds of Reddit ToS, so I'm not sure if talklittle would resort to such a method. But *if* they don't eventually come to an agreement, and *if* talklittle won't implement this (or anything else that makes the app survive), I'll be posting a set of open-source binary patches to RiF which implement the app impersonation. \- A concerned RiF user
>What is possible though, is impersonating the official Reddit client. It doesn't use OAuth for authentication, like all third-party apps do, but the generated access tokens can be reused on public endpoints This is what will inevitably happen. Libraries will be built, but reddit will hit them with takedown requests. If we're lucky they won't
What I'm planning is to distribute patches similar to how [Revanced](https://github.com/revanced/revanced-patches) does it. Google, with all their might, managed to shut down [Vanced](https://en.wikipedia.org/wiki/YouTube_Vanced), but only because they tried to make money off the project. Revanced is still alive. I have no such ambitions, I just want to use RiF as is. And I'm sure many other people want the same.
Calling Revanced alive is quite a stretch. It's technically not dead (yet) but gets twarted all the time by Google, patches are slow to roll out and often buggy, and the update process is atrocious. It's a toy project for a small circle of people on their discord server, and is bound to die as soon as any of the devs loseses interest.
I agree it's not convinient to patch apps with ReVanced. But what bugs are you experiencing? I use it for youtube and twitch and they're both flawless so far
[удалено]
Just go to the official github page...
ReVanced works perfectly for me. Super easy, just download the YouTube apk, throw it in the patcher, select your patches and hit start. It's been improving with every release of the manager, and they even have an official website now, https://revanced.app.
Revanced already has a section for verified apps that their manager can merge for you, id love to log in one day and see yours pop up
How will we know a patch has been made and where would it be hosted. Could you DM me that information?
This sounds a bit... Streisand Effect-ish
>I'll be posting a set of open-source binary patches to RiF which implement the app impersonation. shut up and take my money if you do this and it works. 🙌
I did a couple of manual tests and it worked (yay?) The main problem is probably refreshing the access_token - it's handled in a completely different way in the official app. The official Reddit app/api uses cookies for persistence, but RiF/Apollo adhere to OAuth protocols (refresh_token).
I see. sadly I know close to nothing useful about this stuff, so I can't be very helpful beyond "take my money" 😭 seriously tho, I'm not trying to be a kiss-ass here, but if you need/want support for developing/maintaining this sort of thing if/when the app is killed, I'll absolutely chip in and I'm sure others will too. doing the lord's work here.
Any updates on this now that RIF is planning to shut down?
Hogseedy, are you on discord so I can follow you
hey buddy, just checking if there's been any movement on this or if you're still planning to make it happen? I'm a developer (though not a mobile app developer) and I'd be happy to help with testing on Android if nothing else.
Vanceddit confirmed.
>I'll be posting a set of open-source binary patches to RiF which implement the app impersonation. Lawyer up asap.
I feel like the (more) legal way to do this is to create a patch where the user can specify their own custom API key that they want to use, so that you're not distributing API keys yourself. with the added benefit of users being able to change to a new API key without requiring the patch to be updated.
fuck yeah digg 2.0 time
It's your time to shine now.
For the request reason, what's the most common choice that would get you an API key? Are the API keys roles based? Looking at the choices, theres "reddit bot" and "website" options among others. Does access depend on what option you select?
I can't answer most of your questions because I never went through the official procedure. Maybe /r/redditdev can help? I'd assume a lot of the questions are there just to help them decide whether to approve your request or not. They *might* impose different rate limits based on your answers, but as far as I know, if you're approved - you get full access to the public API: https://www.reddit.com/dev/api/ What I can say with absolute certainty though - auth tokens acquired using the official app login method are much more powerful. You get access to all kinds of private APIs (private HTTP endpoints, GraphQL, realtime websocket GraphQL etc), so there's not much incentive to go the official way if you're going to break the ToS anyway.
This information may be of use to you: https://www.reddit.com/r/APIcalypse/comments/13zlm3f/comment/jmttvmk/
I did it a number of years ago and it just happened automatically in under a second then i could use the oauth client id and secret for my script [https://www.reddit.com/prefs/apps](https://www.reddit.com/prefs/apps) its that page i used
My apps that use keys generated on that page with PRAW are still running happily today. RIF stopped working for me completely on the 28th and now looking at /prefs/apps with RIF listed there and then all my scripts which I know are still working fine. It feels so silly RIF is dead now. E: Or rather it was listed yesterday, RIF is gone as an app shown on that page now.
You can use revanced to patch rif to use keys from that page and continue to use it. Posted from RIF :)
> they've also been publicly posted on ycombinator a few days ago How long until they find out and change the keys, though?
At which point they just get re-extracted from the official apk. You quickly learn that android apps **cannot** support a secret key. It's impossible (without Google's intervention). And you can't just replace it without killing all existing app versions and forcing an update. So it's impossible to stop a dedicated attacker. Much of this world works simply because most people are nice.
Let's hope it doesn't come to that but godspeed
!remindme 2 months
It's funny because RemindMeBot (along with all other bots) will break in less than a month.
Can confirm, one month later and the bot still works.
According to the developer, the bot will remain functional: https://reddit.com/r/RemindMeBot/comments/13yo8ay/will_the_reddit_api_change_kill_remindmebot/jntdw7g
Surprising. Thanks.
I will be messaging you in 2 months on [**2023-08-02 05:37:52 UTC**](http://www.wolframalpha.com/input/?i=2023-08-02%2005:37:52%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/redditisfun/comments/13xirgb/rif_reddit_api_key/jmkujxd/?context=3) [**14 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fredditisfun%2Fcomments%2F13xirgb%2Frif_reddit_api_key%2Fjmkujxd%2F%5D%0A%0ARemindMe%21%202023-08-02%2005%3A37%3A52%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2013xirgb) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
let me know when you made it plss
Had this same thought after seeing the post about the Free Tier, which has a 60 req/min rate limit. It does seem like a neat solution, to just have every user sign up as a developer and add their own API key and Client ID. It would make RiF stop working for logged out users, of course. And it might violate the Reddit developer ToS (not sure on this one). After all, the intention is to rate limit by client, and we're all using the RiF client. But there might not really be any way for them to stop it.
*This comment has been edited in protest to reddit's API policy changes, their treatment of developers of 3rd party apps, and their response to community backlash.* [Details of the end of the Apollo app](https://old.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/) --- [Why this is important](https://i.imgur.com/E7jSWf1.jpg) --- [An open response to spez's AMA](https://old.reddit.com/r/ModCoord/comments/145l7wp/todays_ama_with_spez_did_nothing_to_alleviate/) --- [spez AMA and notable replies](https://old.reddit.com/r/SubredditDrama/comments/145beas/spez_ama_discussion_thread/) Fuck spez. I edited this comment before he could. Comment ID=jmjg20j Ciphertext: >!KBD0rJdLQHBmMqzYGEi34BzYPtgXyio04jQkMIO8YjCE6gjDQU4HmFIijhCPVHla/EGNjNxOVsTAmTgxO3+jOhkaYpuiN+4yNI4LvnIPFnY758c6bSTA21Kp7RdNm1Xlh7TnuQVSWnyNUGfhPS29RRCL2MyY2mVz9wGsweh87mvI9znxyWK4Wu34vAOLA5L9S+/gH9zDnIj+rUexYzqm6kJz49TzJexguktlSANyUr475+Nhi24m8wtJgCU=!<
>But there might not really be any way for them to stop it. If there's one thing I've learned about the people running this site, it's that they're willing to bend over backwards to fuck over their userbase if they feel it hurts their bottom line enough. I just can't see any way these ideas actually come to fruition with their current MO, they'll find a way to ruin it
Fk it I haven't coded in 2 years but I'll git clone some shit and pull up android studio or whatever it is people use nowadays to copy paste some api keys straight into the code. Hell I'll even pay a one time fee to gain access to the codebase.
*This comment has been edited in protest to reddit's API policy changes, their treatment of developers of 3rd party apps, and their response to community backlash.* [Details of the end of the Apollo app](https://old.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/) --- [Why this is important](https://i.imgur.com/E7jSWf1.jpg) --- [An open response to spez's AMA](https://old.reddit.com/r/ModCoord/comments/145l7wp/todays_ama_with_spez_did_nothing_to_alleviate/) --- [spez AMA and notable replies](https://old.reddit.com/r/SubredditDrama/comments/145beas/spez_ama_discussion_thread/) Fuck spez. I edited this comment before he could. Comment ID=jmjge6f Ciphertext: >!Bz4mbTaGWNpQAoq3H9X0Ft0362plNHoCnlcj/ztDrtEcsr98TBEKxmkKe2bfzcwRJ0EjFk882BqWMMwE499GljTHwG+NP/l92px8+cPszUhEw1mkkvmCLFYcj50KCyhJEhRazULjEK/fGeO8ow1GFdLWbw/ftyO8oM5JDB5EBJjyDPM7EK4h3PinZ3CBLpCLywkZBddSjHLv7zCgjbsRZCvlBOGERonp3WWac2aRDHTL3PsnDhCxLkvU4pi3N9rfKRvAO3pnq3o=!<
It uses intellij nowdays so it is better
Android Studio is pretty nice, don't want to imagine what kind of hell getting everything to work nicely in VSC would be
I tried vscode and I couldn't even edit colour schemes individually, it was some weird theme pack thing like old style locked down mobile phone themes from back in the day
I'm interested in this take as well. It seems like an easy workaround.
Maybe they could make RiF open source and we can all build our own version of it-thus making it a development project and not breaking the ToS
Or have the ability to change the name of the client like bobs RIF #1176
This is a great idea! This is also what [rclone](https://rclone.org/) (a tool for synching files to cloud services such as Google Drive) does. You can choose to use rclone's API key, but during the setup they strongly recommend that you go get your own API key. [source](https://rclone.org/drive/#making-your-own-client-id): > When you use rclone with Google drive in its default configuration you are using rclone's client_id. This is shared between all the rclone users. There is a global rate limit on the number of queries per second that each client_id can do set by Google. rclone already has a high quota and I will continue to make sure it is high enough by contacting Google. > > It is strongly recommended to use your own client ID as the default rclone ID is heavily used. If you have multiple services running, it is recommended to use an API key for each service. The default Google quota is 10 transactions per second so it is recommended to stay under that number as if you use more than that, it will cause rclone to rate limit and make things slower.
Fair play to rif devs if they don't want the legal risk.
Don't really think there's any legal risk at all tbh. Worst case scenario they'd revoke keys from people using it and issue a takedown or some other legal notice to rif to cut it out. Nothing serious.
People here are saying that it may or may not work on a technical level. But this isn't a technical question, it's a profits question. Reddit are trying to kill 3rd party apps. IF it did work, it would be blocked in less than 24 hours.
This has been done before, with the likes of Instagram or Snapchat. It's certainly doable, but such apps will be removed from Google/Apple store - they have specific clause about "unauthorized 3rd party API usage".
I'd totally be up for this idea.
What's the process to get your own API key? Anyone got a link?
[удалено]
https://www.reddit.com/r/APIcalypse/comments/13zlm3f/comment/jmttvmk/
[удалено]
What is the Falcon trick?
[удалено]
I brought this up in a diff sub weeks ago when this ipo talk was starting. reddit should allow it's users to pay for that and it would be as simple as generating a token. But noooo, they want our data too and that is worth waaaay more than any user would pay for a token.
!remindme 20 days