X-CSRF-Token

At this point, we’re now authenticated - but there’s one thing missing. If we try to send a POST request, you’ll notice that the request still fails.

Here's an example of some code that won't work due to the X-CSRF-Token: Python=

This code will output the following: 403 Token Validation Failed

The  status code is returned when the client "is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account".

If you saw this while trying to write your own code to access the API, you might ask "why is this error coming up? My .ROBLOSECURITY token is correct, and it worked when I used the "Try it out!" button on the documentation page."

The truth is that this error message isn’t referring to "token" as in your .ROBLOSECURITY token - it’s actually referring to a header that you have to supply to all requests that change data called the.

To handle this token, each time we send a request, we'll save the  - which is present in the response headers - to a value. Then, if the request failed with a status code of 403, we'll send the request again with the  we just got the first request as a request header.

With the Session object, we can just store the token in the headers dictionary, but you can pass them directly to each request as well.

Python=

This program will send one request, check if the  was present in the response, and if so will store it back into the session's headers. We then repeat the first request again, and then outputs the status codes from both requests.

This code should output the following:

First: 403 Second: 200

This solution works - but it doesn't scale well. If we want to properly do this, we’ll put all of this logic in a function that handles our requests for us and then call that when sending requests. This is (essentially) what the request wrappers in Roblox API wrapper libraries do.

Here's an example of a function that does this: Python=

Now that we’ve done this, it makes it marginally easier to send requests to the API.