# api-investigation.md — copied from kanban investigation task t_54f0a481 ## Key Findings ### Architecture - **Seed** (`/login/`) — Vue 3.5 SPA auth page - **Application** (`/cs1/`, `/cs4/`) — ASP.NET MVC behind Azure Application Gateway - **Machine List page** at `/cs4/VueMachineList/` (modern SPA) ### Auth Flow (httpx-compatible) 1. `GET /login/api/DataContext/GenerateAntiForgeryState` → CSRF token 2. `POST /login/api/SignIn/SignIn/en-US` with `__RequestVerificationToken` header + `{Email, Password, FormsAuthReturnUrl}` 3. Cookies are set automatically: `ASP.NET_SessionId`, `.ASPXAUTH`, `ApplicationGatewayAffinity`, `AeonPrincipalCacheVersion` ### Export - **Endpoint**: `POST /cs4/VueMachineList/ExcelExport` - StreamSaver.js streams result as "Machine List.xlsx" - 60+ configurable columns - Credentials via env: `CANTALOUPE_EMAIL`, `CANTALOUPE_PASSWORD` ### Recommendation Start with httpx-only (Option A). Fall back to Playwright-for-login (Option B) if needed. See full investigation at: `~/.hermes/kanban/boards/cantaloupe-downloader/workspaces/t_54f0a481/investigation-findings.md`