Depends on the age of the tool. We work with a lot of legacy systems that actually want us to integrate with them but don’t have the dev resources to build a proper API surface. As a result, we end up doing a lot of painful reverse engineering. These tools look promising for purposes like this.

I curious as to why people would have a public API to begin with if they wanted to protect it from people using it. Then again, why would anyone have a public undocumented API in 2024 when a LLM can give you a cli tool to auto-generate 90% of the OpenAPI spec in a couple of hours? The last question isn't serious, I've worked in enterprise for decades and almost none of the tools organisations end up buying have good documentation for their API's. Not that those are publicly available, but still.

I think you have a misunderstanding here.

The API needs to be "public" because the app uses the internet to communicate back to the home server.

The API is not "public" in the sense that the app developers want anybody to use it; they just want their app to use this API. So they don't write publicly accessible documentation about it because they don't want to encourage its use.

A tool like MitmProxy2Swagger lets you run the app and record all of its API calls so that you can use this unadvertised API.

Why wouldn’t you add authentication to an API you don’t want others to use?

The web app probably authenticates using an API as well, in which case it's trivial to add that to your shadow client as long as you have the credentials.

Laziness / skill issue.

How many apps have you seen only do client-side protection?

Making a mitmproxy dump from a manual browsing session is more or less unblockable, barring some TPM or similar fuckery.

Usage of the API even with the protocol known OTOH can be quite easily made really hard.

There are many cases where users are behind a forward proxy for security/compliance reasons. Most applications need to support these types of users.