I just figured out that using POST does not decrease the x-rate-limit-remaining value of users/lookup.json, which means it might be exploitable.
I’m trying to use the users/lookup.json method of the REST-API v1.1 but stumbled across a weird issue.
When I use GET, all the x-rate-limit-headers are contained in the response of the API.
But as soon as I use POST, the x-rate-limit-headers are not contained in the API-response anymore.
I really need to use POST though, because my app looks up 100 users per request, and for that many lookups the docs strongly encourage using POST instead of GET:
The status code of the response is 200 in both cases and the looked up users are correctly retrieved by my app as well. I am using an application only authentication and I also switched permissions of my app from ‘Read’ to ‘Read, write, and direct messages’, but to no avail.
I am looking forward to your answers.