If pushing the right buttons on a Video Poker machine to make it pay out 10x jackpot is a CFAA violation, then yes, writing a script to access an undocumented API is unauthorized access.

Then again, I'm pretty sure that company lost their case. How can you claim that it's not documented if you provide HTML and Javascript example code?