[moralestapia]

I see, thanks.

No credentials involved here, though.

[hunter2_]

TFA mentioned sending requests with a table number that the sender was not at. That is hardly any different from the idea of showing a badge that wasn't issued to you. The ease of spoofing doesn't matter at all, in the eyes of such laws.

The same could be said about typing any URL that wasn't knowingly supplied to you by the owner, but a "reasonableness test" in court would sort those out from nefarious activity.

[nkrisc]

The question a judge (or jury) would answer is: would a reasonable person think they had permission to access it?

API documented on the website under a section called “For Developers”? Probably, yes. API reverse engineered by intercepting requests? Probably not.

Note that the blog was taken down before I could read it myself.