This wiki has been automatically closed because there have been no edits or log actions made within the last 60 days. If you are a user (who is not the bureaucrat) that wishes for this wiki to be reopened, please request that at Requests for reopening wikis. If this wiki is not reopened within 6 months it may be deleted. Note: If you are a bureaucrat on this wiki, you can go to Special:ManageWiki and uncheck the "Closed" box to reopen it.

Authentication

From RoAPI

Authentication is required for accessing the majority of resources on Roblox. Authentication can usually be granted with a cookie such as the .ROBLOSECURITY cookie.

Authenticating will allow us to send API requests as a logged-in user, which will allow you to write bots that can modify content on the Roblox platform (for example, ranking a user in a group). To do this, we need to get our .ROBLOSECURITY cookie.

.ROBLOSECURITY

The .ROBLOSECURITY token is placed in the client's cookies and identifies the user's active session. The cookie must be named .ROBLOSECURITY and contains a value similar to this:

_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN

The TOKEN is a capitalized hexadecimal string, roughly around 600 characters in length.

Obtaining a cookie

The .ROBLOSECURITY cookie can be obtained by using a browser's web development tools or getting the cookie from Roblox Studio's files.

The warning message

The warning message is not required, however, the bounding characters _| and |_ are required for adding a message to the cookie's value and acts similarly to a comment in Computer Programming.

Green tick pointed.svg Tokens that would work:

_|Example text|_TOKEN
_||_TOKEN
TOKEN

Red X.svg Tokens that wouldn't work:

Example text_TOKEN
_TOKEN
Example textTOKEN

Authenticating in practice

It may be preferable to utilize the "session" object provided by the requests library. This example demonstrates making requests with and without the use of a session object.
import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

# No session, with cookie dict
req = requests.get(
    url="https://users.roblox.com/v1/users/authenticated",
    cookies={
        ".ROBLOSECURITY": cookie
    }
)

# No session, without cookie dict
req = requests.get(
    url="https://users.roblox.com/v1/users/authenticated",
    headers={
        "Cookie": ".ROBLOSECURITY=" + cookie
    }
)

# With session
session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie
req = session.get(
    url="https://users.roblox.com/v1/users/authenticated"
)
# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

response = HTTP.cookies({
    :".ROBLOSECURITY" => COOKIE
}).get("https://users.roblox.com/v1/users/authenticated")

puts response.body.to_s
const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
    "https://users.roblox.com/v1/users/authenticated",
    {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
        },
    }
);

console.log(await response.json());
// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
    "https://users.roblox.com/v1/users/authenticated",
    {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
        },
    }
);

console.log(await response.json());
/*
    Cargo.toml dependencies:
    reqwest = { version = "0.11.4" }
    tokio = { version = "1.11.0", features = ["macros", "rt-multi-thread"]}
*/
use reqwest::header::{HeaderMap, HeaderValue};
use reqwest::{Client, Method};

const COOKIE: &str = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

#[tokio::main]
async fn main() {
    let client = Client::new();
    let mut headers = HeaderMap::new();
    headers.insert(
        "Cookie",
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),
    );

    let response = client
        .request(
            Method::GET,
            "https://users.roblox.com/v1/users/authenticated",
        )
        .headers(headers)
        .send()
        .await
        .unwrap();
    println!("{}", response.text().await.unwrap());
}
open System.Net.Http

let COOKIE =
    "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

[<EntryPoint>]
let main _ =
    async {
        use handler =
            new HttpClientHandler(UseCookies = false)

        use client = new HttpClient(handler)

        let message =
            new HttpRequestMessage(HttpMethod.Get, "https://users.roblox.com/v1/users/authenticated")

        message.Headers.Add("Cookie", $".ROBLOSECURITY={COOKIE};")

        let! response = client.SendAsync(message) |> Async.AwaitTask

        let! body =
            response.Content.ReadAsStringAsync()
            |> Async.AwaitTask

        printfn "%s" body
    }
    |> Async.RunSynchronously

    0
/*

You will need: 
consider >= 1.5.0
notable.http >= 0.5.0

fx service packages --install --registry CUSTOM_REGISTRY_URL_HERE --package consider@{<=1.5.0}
...

*/

using <"fx/internals/com.reflection">
using <"fx/internals/com.tasks">
using <"fx/com.consider">
using <"fx/com.notable.http">

using namespace com::notable;

const com::string* COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

// silly reflection for people below fx 90
[$->markBelow(com::reflection::kind_main_func)];
int main()
{
    http::request* request = http::init("https://users.roblox.com/v1/users/authenticated");
    request->method = http::GET;
    request->useDefaultRequest = false;
    request->headers->set(
        "Cookie", http::cookie::str(
        {
                { ".ROBLOSECURITY", consider::round_down_ref<consider::kind_const_ptr>(COOKIE, typeof(com::string*)) }
        })
    );

    // run at a scheduled time
    request->schedule(handler, com::tasks::threading::cancel_on_exception);

    // run now
    // do a stupid warning remover because fx90+ hates this for some reason.
#IF FX_VER > 90
#pragma warning disable TRIDER_JANDO4_B // Lazy initialization of time vector.
#endif
    request->invoke(handler, http::time::now());
#IF FX_VER > 90
#pragma warning restore TRIDER_JANDO4_B // Lazy initialization of time vector.
#endif
}

// More silly reflection for people < fx90
[$->markBelow(com::reflection::kind_callback_func | http::kind_response_callback)];
void handler(http::request* request, http::response* response, com::exception* ex)
{
    // only run the below code when response isn't null.
    $->wrapWhen((response != nullptr), [!!]()
    {    
        if (response->code == http::kind_success && response->status == http::OK)
        {
            // This will give you your response
            // use com.notable.http.extensions.json for the response json extensions.
        }
    });
}
This article is a part of the Accessing the Roblox API series.