I was using the Mojang API for "Username -> UUID at time" trying to determine whether or not a specific username is usable right now. (https://wiki.vg/Mojang_API#Username_-.3E_UUID_at_time)

When I request this API endpoint, there are two possible outcomes:

• Taken: When the username is taken, the page will have a status code of 200 and its body will have information about the user with the given name. (example: https://api.mojang.com/users/profiles/minecraft/Mistri)
• Available: When the username is available, the page will have a status code of 204 and its body will be empty. (example: https://api.mojang.com/users/profiles/minecraft/0182fh12)

However, there are quite a few usernames which fall under the second bullet point ("Available") but aren't actually available when I try to change my username. Most of the time, these usernames are vulgar.

For example, requesting the username "cum" returns as 204 with no data, just like an available username would: https://api.mojang.com/users/profiles/minecraft/cum

I wanted to determine the difference between vulgar names like this and available names, so I did a bit of digging around in the console on the minecraft.net site. What I found out was, when changing a username, the same API is used, however it's also requested with an auth token for the user's account.

I tried doing the same requests with an auth token, and what I found was actually different outcomes:

• Taken: When the username is taken, the page will have a status code of 200 and its body will have information about the user with the given name. This is the same as before, without an auth token.
• Available: When the username is available, instead of returning a 204 like without an auth token, the page returns a 404 not found error. (example: https://api.mojang.com/users/profiles/minecraft/0182fh12 with header "Authorization: Bearer <auth token>")
• Banned: When the username is vulgar, it now returns a 204 if the authorization token is present. (example: https://api.mojang.com/users/profiles/minecraft/cum with header "Authorization: Bearer <auth token>")

This makes no sense, and the version listed above (with the auth token) should be available to all users without requiring an auth token. This way, the public would easily be able to see which usernames are not usable.