any update on this? i have the same question....
all API/graphql requests can be done programmatically by sending 3 headers:
one of the request that sets these cookies is the one done to --> POST https://api.x.com/1.1/onboarding/task.json
but it also sends an Authorization token and X-Guest-Token via the headers :/