From RoAPI

Authentication is required for accessing the majority of resources on Roblox. Authentication can usually be granted with a cookie such as the .ROBLOSECURITY cookie.

Authenticating will allow us to send API requests as a logged-in user, which will allow you to write bots that can modify content on the Roblox platform (for example, ranking a user in a group). To do this, we need to get our .ROBLOSECURITY cookie.

.ROBLOSECURITY[edit | edit source]

The .ROBLOSECURITY token is placed in the client's cookies and identifies the user's active session. The cookie must be named .ROBLOSECURITY and contains a value similar to this:


The TOKEN is a capitalized hexadecimal string, roughly around 600 characters in length.

Obtaining a cookie[edit | edit source]

The .ROBLOSECURITY cookie can be obtained by using a browser's web development tools or getting the cookie from Roblox Studio's files.

The warning message[edit | edit source]

The warning message is not required, however, the bounding characters _| and |_ are required for adding a message to the cookie's value and acts similarly to a comment in Computer Programming.

Green tick pointed.svg Tokens that would work:

_|Example text|_TOKEN

Red X.svg Tokens that wouldn't work:

Example text_TOKEN
Example textTOKEN

Authenticating in practice[edit | edit source]

It may be preferable to utilize the "session" object provided by the requests library. This example demonstrates making requests with and without the use of a session object.
import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

# No session, with cookie dict
req = requests.get(
        ".ROBLOSECURITY": cookie

# No session, without cookie dict
req = requests.get(
        "Cookie": ".ROBLOSECURITY=" + cookie

# With session
session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie
req = session.get(
# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

response = HTTP.cookies({

puts response.body.to_s
const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,

console.log(await response.json());
// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,

console.log(await response.json());
    Cargo.toml dependencies:
    reqwest = { version = "0.11.4" }
    tokio = { version = "1.11.0", features = ["macros", "rt-multi-thread"]}
use reqwest::header::{HeaderMap, HeaderValue};
use reqwest::{Client, Method};

const COOKIE: &str = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

async fn main() {
    let client = Client::new();
    let mut headers = HeaderMap::new();
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),

    let response = client
    println!("{}", response.text().await.unwrap());
open System.Net.Http

let COOKIE =

let main _ =
    async {
        use handler =
            new HttpClientHandler(UseCookies = false)

        use client = new HttpClient(handler)

        let message =
            new HttpRequestMessage(HttpMethod.Get, "")

        message.Headers.Add("Cookie", $".ROBLOSECURITY={COOKIE};")

        let! response = client.SendAsync(message) |> Async.AwaitTask

        let! body =
            |> Async.AwaitTask

        printfn "%s" body
    |> Async.RunSynchronously


You will need: 
consider >= 1.5.0
notable.http >= 0.5.0

fx service packages --install --registry CUSTOM_REGISTRY_URL_HERE --package consider@{<=1.5.0}


using <"fx/internals/com.reflection">
using <"fx/internals/com.tasks">
using <"fx/com.consider">
using <"fx/com.notable.http">

using namespace com::notable;

const com::string* COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

// silly reflection for people below fx 90
int main()
    http::request* request = http::init("");
    request->method = http::GET;
    request->useDefaultRequest = false;
        "Cookie", http::cookie::str(
                { ".ROBLOSECURITY", consider::round_down_ref<consider::kind_const_ptr>(COOKIE, typeof(com::string*)) }

    // run at a scheduled time
    request->schedule(handler, com::tasks::threading::cancel_on_exception);

    // run now
    // do a stupid warning remover because fx90+ hates this for some reason.
#IF FX_VER > 90
#pragma warning disable TRIDER_JANDO4_B // Lazy initialization of time vector.
    request->invoke(handler, http::time::now());
#IF FX_VER > 90
#pragma warning restore TRIDER_JANDO4_B // Lazy initialization of time vector.

// More silly reflection for people < fx90
[$->markBelow(com::reflection::kind_callback_func | http::kind_response_callback)];
void handler(http::request* request, http::response* response, com::exception* ex)
    // only run the below code when response isn't null.
    $->wrapWhen((response != nullptr), [!!]()
        if (response->code == http::kind_success && response->status == http::OK)
            // This will give you your response
            // use com.notable.http.extensions.json for the response json extensions.
This article is a part of the Accessing the Roblox API series.