my old issues:

I want to try and use the 3.0 scratch API, but I'm not using javascript and I don't really know it all that well I can do GET and PUT at least but I don't really know what else I can do and should look for, I've gotten to https://api.scratch.mit.edu/users/<user>/messages?x-token=<Token> but I have no idea where to get said token sorry if this is already explained elsewhere but I simply couldn't find it or couldn't understand it, thanks if you are willing to help. also if you could, would you please mention the other ways to get information, like the stuff in my backpack and how to follow people and make comments, I'm sorry if I'm asking a lot but I want to try and use the API. also if posable I would like to get the token using the API.

For anyone afterward trying to get yours working:
when using the POST make sure

1. the website you are posing is: https://scratch.mit.edu/login/
2. make sure your headers are: {{“X-CSRFToken”, “a”}, {“x-requested-with”, “XMLHttpRequest”}, {“Cookie”, “scratchcsrftoken=a;scratchlanguage=en;”}, {“referer”, "https://scratch.mit.edu"}}
3. use the format(change the BOLD) {“username”:"yourUsername“,”yourPassword“:”password"}
4. if you get HTML for a 403 error, your headers are wrong
5. if you get HTML for the scratch servers aren't working, your body is wrong and your headers are fine
6. if you get a error like [{“username”: “mathman05”, “num_tries”: 1, “success”: 0, “msg”: “Incorrect username or password.”, “messages”: , “id”: null}] it means you got the password or username wrong
7. if you get a message like [{“username”: “mathman05”, “token”: “num1:num2”, “num_tries”: 1, “success”: 1, “msg”: “”, “messages”: , “id”: num}] you got it all right
8. never EVER share your token, it is YOUR scratch account this is how people could become you, they could find your email, messages, backpack, unshared projects, everything, and they could do what you can do, comment on projects, change studio discussions, share projects, etc.
9. your token is where num1:num2 is it is not a number it is a very long string
10. to use your token on the API add ?x-token=YOURTOKEN to the end of your API request this will give you Authentication so if it says you don't have it put that on the end of the API request
11. if anyone has your token or you think they might have your token email the scratch team right away at https://scratch.mit.edu/contact-us/#
12. Be careful and don't try something with your token unless you know for sure its scratch API and not just someone trying to steal your acount

Token is obtainable by accessing /session - but that requires you to log in.
This is a bit hard, what language are you using?

eh, the language, I have no idea what its called, and as I said I have GET and PUT that's it which I really do hope its enough, could you do something like
GET:https://website/<lable>
POST:HTTPS//website/<lable>
I'm sorry if I'm asking too much, thanks for responding. also how would I find out other scratch API I can interact with, like the backpack, and commenting thanks for your help.

https://towerofnix.github.io/scratch-api-unofficial-docs/ is a pretty good reference for most of the scratch api. You can take a look at some of the issues on github for apis that haven't been added to those docs yet but do exist - sometimes you might have to browse through some scratch-www code to actually fond the endpoints though.

that helps as I needed that list , but I still need a way to get a token using the API, the way they do it isn't using the API…

If you know javascript, take a look at https://github.com/Zxnii/scratch-site-api/blob/6eee9de4b32b2d406b2ba9e9c9e5d3809ffb7012/index.js#L19.
If not, I'll try and explain it in words

yeah, I don't really know javascript, thanks for your help that website was really helpful all I need now is a way to get that token

although it doesn't look all that bad give me a sec to try

I was close, what does this mean?
(PS I know its HTML but what does it need from me?)

<!DOCTYPE html> <html lang=“en”> <head> <meta http-equiv=“content-type” content=“text/html; charset=utf-8”> <meta name=“robots” content=“NONE,NOARCHIVE”> <title>403 Forbidden</title> <style type=“text/css”> html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; } body>div { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } </style> </head> <body> <div id=“summary”> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted.</p> <p>You are seeing this message because this HTTPS site requires a &#39;Referer header&#39; to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p> <p>If you have configured your browser to disable &#39;Referer&#39; headers, please re-enable them, at least for this site, or for HTTPS connections, or for &#39;same-origin&#39; requests.</p> </div> <div id=“explanation”> <p><small>More information is available with DEBUG=True.</small></p> </div> </body> </html>

I figured it out but now its saying “Bad Request” any idea how to fix that?

You first need to fetch CSRF token, then login, then get session. You need to pass cookies and headers (Origin, X-Requested-With, X-Token)

the headers are now put in correctly and the website pulls up instead of an error, it's still an error but the body is the last part that could error.

nm it could still be the header

nm the header is ok

I figured it out! thank you so much for your help!