for all of the requests to their api, it constructs a very long query string that is a basic fingerprint of your browser/os. then the query needs to be signed (or else the api returns a captcha), which is done by a blob of encrypted/obfuscated-beyond-recovery JS that uses a more comprehensive browser fingerprint to validate the query string and generate a token that is appended to the query. there's another required query param which involves an xhr to phone home so that presumably the fingerprints can be checked server-side. finally all of your fingerprint data is sent to their api where it lives happily ever after and you get some 15 second videos to watch