Found an issue in the cal.com public api (link to exact request) When i query an existing booking, with a real ID i will get a good response. When i query a booking that doesn’t exist, it will give me the response:

{"message": "You are not authorized"}

Expected to give a 404 or empty, because my auth information is fine. I assume this is because this booking exists on some other account with another API key.

That's not true. That gives away the information on whether or not a booking with that ID exists. Not a good practice in terms of security

I don’t know how you mean it’s not true… Screenshots for proof. API authorization is clearly good. This booking doesn’t exist on my org, and API should be able to tell me that it doesn’t exist instead of some other cryptic message. Having it tell me that i’m unauthed is confusing because my auth information is correct.

Hmm. Perhaps we can invert it. After a little discussion with the team, it makes sense to return 404 for any request that has nothing to return, either due to lack of authorization or lack of actual data. I'll take a look 🙏