Nevermind, worked it out.
So you send a GET request to /search/reverse and harvest the authenticity_token value
Do a POST to /images/screape_url giving it the URL you want to reverse search and the authenticity_token
Do a POST to /search/reverse with the authenticity_token, the scraped URL, fuzziness, and a utf8 of ✓
It spits back the HTML of the results ready for scraping.
I worked this out by reverse-engineering the “[Userscript] semi-Automated Derpibooru Uploader” JS. So given that it is being used (by official userscripts), I’d like to know…
Do I have permission to use this, and if so, is there a limit on hits you’d like me to impose? My traffic would be low (this is the ultimate fallback when filename/url matching can’t be done) and around 1-4 per hour at most.