Alex Spinov

Posted on Mar 25

5 Hidden APIs E-Commerce Sites Don't Want You to Know About

#javascript #webdev #api #tutorial

Every e-commerce site has a public-facing website. Behind it, there's an API that powers everything — search, product data, pricing, reviews.

Most of these APIs are undocumented but completely accessible.

I found them using Chrome DevTools → Network tab → filtering for JSON responses while browsing normally.

Here are 5 real examples with working code.

1. Best Buy — Product Search API

When you search on bestbuy.com, your browser calls their internal API. You can call it directly.

import httpx

response = httpx.get(
    'https://www.bestbuy.com/api/tcfb/model.json',
    params={
        'paths': [['shop','criteria','currentPage','searchResults']],
        'query': 'laptop'
    },
    headers={'User-Agent': 'Mozilla/5.0'}
)

results = response.json()
print(f"Found {len(results)} products")

What you get: Product names, prices, ratings, availability, SKUs — the same data that powers their search page.

Rate limit: ~30 requests/minute before soft throttling.

2. Target — Product Data via Redsky API

Target's frontend calls redsky.target.com for everything. It returns rich JSON.

import httpx

api_key = '9f36aeafbe60771e321a7cc95a78140772ab3e96'  # Public key from their JS bundle
response = httpx.get(
    f'https://redsky.target.com/redsky_aggregations/v1/web/pdp_client_v1',
    params={
        'key': api_key,
        'tcin': '54191097',  # Product ID from URL
        'pricing_store_id': '3991'
    }
)

product = response.json()['data']['product']
print(f"Name: {product['item']['product_description']['title']}")
print(f"Price: ${product['price']['formatted_current_price']}")

What you get: Full product details, pricing, reviews, availability by store.

3. Walmart — Search Without Scraping

Walmart's search is powered by a GraphQL endpoint.

import httpx

response = httpx.get(
    'https://www.walmart.com/orchestra/home/graphql/search',
    params={
        'query': 'wireless mouse',
        'page': '1',
        'sort': 'best_match',
        'cat_id': '0'
    },
    headers={
        'User-Agent': 'Mozilla/5.0',
        'Accept': 'application/json'
    }
)

items = response.json().get('data', {}).get('search', {}).get('searchResult', {}).get('itemStacks', [{}])[0].get('items', [])
for item in items[:5]:
    print(f"{item.get('name', 'N/A')}: ${item.get('price', 'N/A')}")

Rate limit: More aggressive than Best Buy. Use curl_cffi with Chrome impersonation for reliability.

4. Home Depot — Product API

Home Depot uses a fairly open internal API for product data.

import httpx

response = httpx.get(
    'https://www.homedepot.com/federation-gateway/graphql',
    params={'operationName': 'searchModel'},
    headers={
        'User-Agent': 'Mozilla/5.0',
        'x-experience-name': 'general-merchandise',
    },
    json={
        'operationName': 'searchModel',
        'variables': {'keyword': 'drill', 'storeId': '121'},
        'query': 'query searchModel($keyword: String) { searchModel(keyword: $keyword) { products { identifiers { productLabel } pricing { value } } } }'
    }
)

print(response.json())

Tip: Watch the Network tab on homedepot.com — every category page loads via this GraphQL endpoint.

5. Costco — Price Data API

Costco's prices are loaded dynamically via their warehouse API.

import httpx

response = httpx.get(
    'https://www.costco.com/CatalogSearch',
    params={
        'dept': 'All',
        'keyword': 'monitor',
        'currentPage': '1',
        'responseType': 'json'
    },
    headers={'User-Agent': 'Mozilla/5.0'}
)

print(response.json())

Note: Costco is more aggressive with bot detection. Use curl_cffi or rotate user agents.

How to Find Hidden APIs on Any Site

Open Chrome DevTools (F12)
Go to Network tab
Filter by Fetch/XHR
Browse the site normally — search, click products, filter
Look for JSON responses — those are the API calls
Right-click → Copy as cURL → convert to Python

Tools that automate this:

mitmproxy — intercept and log all HTTP traffic
Playwright Network Events — capture API calls programmatically

Legal Note

These APIs are called by your browser when you visit these sites normally. Accessing publicly available data is legal (see hiQ Labs v. LinkedIn, 2022). But always:

Respect rate limits
Don't overload servers
Check robots.txt
Don't redistribute copyrighted content

Want more hidden APIs? Check out awesome-web-scraping-2026 — 130+ tools for web data extraction.

Have you found any interesting hidden APIs? Share in the comments 👇

DEV Community