Comment by Uehreka
3 days ago
This will not end well.
If someone with millions or billions of dollars doesn’t have an official API after operating for years, that’s because they don’t want to have one. You may receive a Cease and Desist letter, or they might block your IPs, or just scramble their markup in ways that are hard to figure out. Whatever their approach, they likely have more money and manpower to throw at stopping you than you have to evade them, especially if you’re doing this to multiple large and powerful companies.
This is legal. See Teller API. Venmo will most likely lose if they take these devs to court based on precedent.
I don't like this trend of small time OSS devs being berated about legal bullying from megacorps, meanwhile handsomely VC-funded businesses get congratulated with legal help. We should be berating these companies of not releasing the APIs that people want to use!
We're in an age of AI, built atop agents, agents built atop APIs. APIs were the promise of Web 2.0, a promise being ripped away from us more and more by the day by these megacorps.
There should be a SPECIFIC legal funds/OSS unions protecting these Adversarial Interoperability projects and their maintainers from legal threat harassment by megacorps.
Just in the last 2 years we've had multiple near/passed-trillion dollar companies sending legal threats to OSS devs who have to fight them off on their own - one of them 15 years old.
Thank you alanalanlu and richardyhz for this project. Godspeed! And screw Venmo if they dare go after these two maintainers and their project!
Unfortunately it's all fun until Integruru or you get a cease and desist.
Will Integruru support you in your legal fight in court?
Most devs aren't ready to lawyer up.
You get a cease and desist letter, you cease and desist doing the stuff if you don't want / can't afford a legal fight.
Then you post the cease and desist letter on your website, and post about it on hacker news.
2 replies →
I'd be surprised if this was even noticed at all.
It's a third-party client making authentication and data collection requests, just like the hundreds of other credential stuffing toolkits (OpenBullet et al.) that are smashing the Venmo platform 24/7.
The most likely outcome for anyone using this is their account becoming restricted for unusual access patterns by the existing models already in place.
I'd also be a bit worried about using something like this in production, especially if it's packaged as a npm lib. Even if the original maintainer has good intentions, it'd be all too easy for some malicious actor to offer them a million dollars to introduce a trojan/credential MITM scraper to later versions.