Authentication

Authentication is required for accessing the majority of resources on Roblox. Authentication can usually be granted with a cookie such as the  cookie.

Authenticating will allow us to send API requests as a logged-in user, which will allow you to write bots that can modify content on the Roblox platform (for example, ranking a user in a group). To do this, we need to get our .ROBLOSECURITY cookie.

.ROBLOSECURITY
The .ROBLOSECURITY token is placed in the client's cookies and identifies the user's active session. The cookie must be named  and contains a value similar to this: _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN The  is a capitalized hexadecimal string, roughly around 600 characters in length.

Obtaining a cookie
The  cookie can be obtained by using a browser's web development tools or getting the cookie from Roblox Studio's files.

The warning message
The warning message is not required, however, the bounding characters  and   are required for adding a message to the cookie's value and acts similarly to a comment in Computer Programming.

Tokens that would work: _|Example text|_TOKEN _||_TOKEN TOKEN Tokens that wouldn't work: Example text_TOKEN _TOKEN Example textTOKEN

Authenticating in practice
As we’re now sending requests with cookies, it’s easier for us to use a "session" object that maintains our cookies on each new request. Your programming language of choice may not support a "session object". Requests also allows us to save time by passing a dictionary containing cookies rather than passing a  header. Due to the fact that your own requests library of choice may differ in features from my own, I’ll demonstrate the same thing with a cookie dictionary, a header, and a session.

Python= Ruby = JavaScript (with Deno) = JavaScript (with Node.js) = Rust = F# = FireX =