I'm on JSON. I am sure that one has to exploit JSON callbacks but not sure how exactly. Also, found the /token/ and /Account/ endpoints. Do not have any credentials, though. If I had credentials, I could try to forge a JWT and send it as Bearer Token, which is expected by the server according to the source. Any hints welcome!