why dont people use the *.json api to make working (read only) third party apps
can confirm, it can be bypassed with a different UA.