Ok, good idea. I tried that and it seems it passes in a "category" field. And, sure enough, that works in my code.
However, is this safe to use? I hate the idea of using undocumented APIs that may not be supported in future versions.
For instance, the PUT uses "category_id" and this uses "category". I have to think at some point someone is going to make that be consistent (and probably use "category_id" since that is the already published convention), at which point my code will break.
Is it safer to just use two requests with a POST then a PUT instead of using a "hidden" API?