IMHO there is simply no reason to hide it or add some auth layer above. They just don’t release documentations about it so they can change whatever they want at any time and don’t have to worry about 3rd parties (+ don’t have to put the extra work in to maintain the docs).
The protocol itself is quite simple and straight forward. It got re-engineered and open-sourced by @droelf (which AFAIK this box is also using).
The original thread is here: