A bit more technical context on how I tested this, since people usually ask about methodology. I took the exact cURL from the browser’s network tab and generated variations around it: missing fields, oversized body, invalid types, wrong methods, malformed JSON, and different auth states. Nothing fancy or brute-force — just the basics of what a QA engineer would check to understand API hygiene.
The surprising part was not that bugs existed, but which ones appeared: a large payload causing a 500 instead of a controlled 413, and later the backend returning the entire user-provided payload back in a 422. Both cases create avoidable load and unnecessary reflection, which is rare to see in well-designed public APIs. The bigger surprise was how fast these were fixed. Three separate issues were resolved within days, which is unusually quick for any large-scale system.
liudasjank•52m ago
The surprising part was not that bugs existed, but which ones appeared: a large payload causing a 500 instead of a controlled 413, and later the backend returning the entire user-provided payload back in a 422. Both cases create avoidable load and unnecessary reflection, which is rare to see in well-designed public APIs. The bigger surprise was how fast these were fixed. Three separate issues were resolved within days, which is unusually quick for any large-scale system.