Whitelisted User Agent Unable to Authenticate With Private API (Possible Cloudflare Validation Bug)

[lucasfeliciano]

Summary

Even when using a user agent that support confirmed is whitelisted, authentication requests to the private API still trigger Cloudflare validation errors. This prevents obtaining an access token and makes automated API usage impossible.

Steps to Reproduce

1. Use a whitelisted user agent provided by Moxfield support.
2. Make a POST request to either of the following endpoints:
   • https://api.moxfield.com/v1/account/token
   • https://api2.moxfield.com/v2/account/token
3. Include valid credentials in the request body.

Example Request

curl -X POST "https://api.moxfield.com/v1/account/token" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "User-Agent: [redacted]" \
  -d '{
    "userName": "[redacted]",
    "password": "[redacted]"
  }'

Actual Responses

v1 endpoint response:

{
    "type": "https://tools.ietf.org/html/rfc9110#section-15.5.1",
    "title": "Bad Request",
    "status": 400,
    "traceId": "00-7787ff72b0a2dbfb3e30603065f1aa5a-3e1e2f950bc7e285-00"
}

v2 endpoint response:

{
    "token": [
        "The Token field is required."
    ]
}

Expected Behavior

A successful response should return an access token without requiring Cloudflare or reCAPTCHA validation when using a whitelisted user agent.

Additional Notes

Support confirmed that the user agent being used is whitelisted. Because of that, requests should bypass Cloudflare's bot protection. However, both private API token endpoints still appear to require Cloudflare or reCAPTCHA validation.

This suggests that the whitelist may not be applied correctly for these endpoints, or that the authentication path may not be handling whitelisted user agents as intended.

Impact

This issue prevents any automated interaction with the private API, even for approved clients.

If this is the intended behavior, please disregard this bug report.