Reddit deprecating unauthenticated .json endpoints — authentication required to function

[PortableProgrammer]

What changed

Reddit has rolled out blocks against unauthenticated access to .json API endpoints. From r/modnews:

Deprecating unauthenticated JSON access: We'll also be shutting down unauthenticated .json endpoints. These endpoints can be used to scrape Reddit without accountability. Logged-in and authenticated access won't be impacted. Otherwise, developers who need structured access to Reddit content should use Devvit, which includes various ways to access Reddit data.

(Devvit runs inside Reddit's infrastructure and is not viable for external clients like lurker.)

What we observed (2026-05-28)

Testing from the operator's home IP:

• curl -sI to https://www.reddit.com/r/<any>.json with various UAs (Safari 26.0.1, Safari 18.1, Chrome 130, iPhone Safari, Android Chrome) all returned HTTP/2 403 with a theme-beta HTML interstitial
• 403 also returned with browser-shape headers (Accept, Accept-Language, DNT, Sec-Fetch-*)
• 403 returned even with Reddit's recommended "honest" UA format <platform>:<app-id>:<version> (by /u/<username>)
• HTML routes (/r/<sub>/hot) still returned 301 and worked normally — so reddit.com isn't blocking the IP, just the .json API
• A real Safari Mobile from the same IP (operator's phone, home WiFi) succeeded against /r/formula1/.json
• The combination implies multi-signal bot detection (TLS fingerprinting / JA3-JA4, HTTP/2 frame ordering, header characteristics) — not just UA-string matching. curl with a spoofed mobile UA gives itself away at the TLS layer.

What this means for lurker

src/geddit.js is built entirely on anonymous .json access — every one of its 20+ async methods is fetch(.../*.json). With anonymous access blocked, every method returns 403 and lurker has no content to render.

Per the modnews quote, authenticated .json access continues to work. So the fix is to add authentication rather than migrate endpoints. Implementation paths in increasing complexity:

1. Cookie/session passthrough — operator logs into Reddit via browser, copies auth cookies into lurker config. Fragile, single-account, won't scale; useful only as a stopgap.
2. OAuth application-only flow (grant_type=client_credentials) — register a Reddit OAuth app, send Authorization: Bearer <token> with every request. Works for read-only public content. Token expires hourly; re-auth is one POST. Lurker keeps its existing multi-user model on its own side (lurker users still register locally; Reddit only sees the lurker app identity).
3. OAuth user flow (per-user Reddit accounts) — each lurker user authenticates with their own Reddit account. Defeats lurker's "no Reddit account necessary to subscribe to subreddits" pitch from readme.md.

Path 2 (application-only OAuth) is the canonical answer and what other Reddit clients use. The friction: manual app-registration + Reddit review process, multi-week approval delay per the Data API Terms, per-deployment friction (each lurker operator who self-hosts must register their own OAuth app), and trademark/branding realignment (the API Terms sections 4.1/4.2 are stricter than the Reddit Brand foundation lurker currently cites in readme).

Related / superseded

• Supersedes Automate Safari User-Agent freshness #32 — the UA-refresh assumption was wrong; UA freshness is not the discriminator. UA refresh remains a cosmetic improvement (the "honest" format is more respectful than spoofing a browser) but does nothing for access.
• Blocks validation of Selftext images can overflow the card 10vh container #22, Hyperlink font-size mismatch in self-text card #23, Back button from comments doesn't return to the correct post fragment #24, Replace "next →" with a centered "more" button #25, Display post link flair and user flair #26, Display subreddit logo on subreddit pages #27, Collapse stickies by default — posts and comments #28, Preference to autoplay videos muted in card view #29, Opt-in scroll-snap (one post at a time) #30, Comment sort — per-thread selector and user preference #31, Sub-search 'about' text not HTML-decoded #33, Rewrite reddit.com / old.reddit.com links to relative lurker URLs #34, Render markdown in sub-search descriptions #36, Preference to open external links in new tabs #37 — all the bug-fix and feature work currently in the backlog. The code changes themselves can still be authored against the static code, but they can't be exercised against a live Reddit feed.
• Adjacent to OIDC authentication support #35 (lurker-side OIDC for user auth into lurker) and Reverse-proxy header authentication (X-Remote-User) #38 (reverse-proxy header auth into lurker). Those are user-facing auth and unaffected by Reddit's API auth — but they have no point until lurker has content to gate.

Status (2026-05-28)

The original lurker concept — lightweight, read-only, low-friction Reddit viewer without a Reddit account — is fundamentally at odds with Reddit's enforced direction. The operator is ruminating on whether to:

• Pursue OAuth implementation here and accept the friction
• Pivot to a non-Reddit aggregator backend (Lemmy, kbin, Mbin, Piefed) where lurker's view layer, ExtLinks pipeline, preferences, and auth model still apply
• Wind the project down

No decision has been made; the project is not archived. If a path forward is chosen, this issue is the entry point for the implementation work.