Resy is a very interesting platform to mess around with. I still consider myself to be a noobish developer, but even I can see that there are many glaring flaws on the platform. The most annoying thing that I've encountered on their website though is that they misuse the 500 response and essentially throw it around for anything that isn't a 200 or 400.
Before making a full scalper bot, I created a scraper that would check the availability of the top restaurants in New York every 15 seconds or so. If a good reservation was available, the script would send me a discord webhook with the link to the restaurant so that I could go claim the dinner reservation manually. After doing this for a few months I figured I might as well try scaling things up since I was making a few thousand dollars a month from this stuff at that point.
I thought it would be hard to expand the scraper into a bot, but I quickly learned it wouldn't really be that bad. I already had the difficult logic figured out, all that was left was to automate the checkout process once I found a good reservation available. I used proxyman to see what http requests the browser would make and then I simply repeated that flow in my code, and to my surprise everything was working smoothly, but then I encountered captchas on some restaurants.
I am familiar with captchas, and quickly integrated a third party captcha solver, but I noticed that I was still too slow to get reservations, so I knew I was missing something. I messed around with postman for quite some time manipulating requests until I hit the jackpot, I figured out a way to bypass the captchas COMPLETELY on Resy's platform.
There was a post request that would be sent to Resy's server to finally check out a reservation. This request's body would contain information regarding the reservation, and after solving a captcha the captcha token would get included in here. I discovered though that if you convert the post request to a GET request and append the previous post's body to the url as parameters, then this will allow you to send the same request even with the captcha token missing. This discovery resulted in my bot becoming fast as fuck and helped me source a lot more reservations than I ever could before.
Unfortunately for me though, New York has made it illegal to resell dinner reservations, so I closed up shop a while ago and decided to make an open sourced version of my software so that other people can claim reservations for their personal use. I haven't even been to New York yet, but when I visit I'll be sure to use this to hit top the restaurants. Will gladly answer any questions regarding this too!
Also sorry if this isn't very readable. I am writing this post while working on a different agentic bot that I'll also use to wreak havoc.