Employee Discovers Undocumented Internal API Vulnerability Through Front-End Inspection

An employee tested an application developed by their company's CEO, built using Claude Code. By inspecting the Network tab in Chrome, they identified the front-end requests and replicated calls to an undocumented internal API. Using only an email and password, they obtained a JWT token and accessed the API routes via VS Code, bypassing the user interface entirely.