Authentication

From RoAPI

Authentication is required for accessing the majority of resources on Roblox. Authentication can usually be granted with a cookie such as the .ROBLOSECURITY cookie.

Authenticating will allow us to send API requests as a logged-in user, which will allow you to write bots that can modify content on the Roblox platform (for example, ranking a user in a group). To do this, we need to get our .ROBLOSECURITY cookie.

.ROBLOSECURITY[edit | edit source]

The .ROBLOSECURITY token is placed in the client's cookies and identifies the user's active session. The cookie must be named .ROBLOSECURITY and contains a value similar to this: 

_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN

The TOKEN is a capitalized hexadecimal string, roughly around 600 characters in length.

OOjs UI icon alert-destructive.svg
Do not share cookies! Sharing your .ROBLOSECURITY cookie would grant whoever it is shared with full access your Roblox account.

Obtaining a cookie[edit | edit source]

The .ROBLOSECURITY cookie can be obtained by using a browser's web development tools or getting the cookie from Roblox Studio's files.

OOjs UI icon information-progressive.svg
.ROBLOSECURITY cookies are invalidated when the "Log out" button is pressed. Instead, obtain your cookie in an incognito window and close it when finished or clear your browser's cookies after copying your .ROBLOSECURITY cookie.

The warning message[edit | edit source]

The warning message is not required, however, the bounding characters _| and |_ are required for adding a message to the cookie's value and acts similarly to a comment in Computer Programming.

Green tick pointed.svg Tokens that would work: 

_|Example text|_TOKEN
_||_TOKEN
TOKEN

Red X.svg Tokens that wouldn't work: 

Example text_TOKEN
_TOKEN
Example textTOKEN

Authenticating in practice[edit | edit source]

It may be preferable to utilize the "session" object provided by the requests library. This example demonstrates making requests with and without the use of a session object. 
import requests

cookie = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

# No session, with cookie dict
req = requests.get(
    url="https://users.roblox.com/v1/users/authenticated",
    cookies={
        ".ROBLOSECURITY": cookie
    }
)

# No session, without cookie dict
req = requests.get(
    url="https://users.roblox.com/v1/users/authenticated",
    headers={
        "Cookie": ".ROBLOSECURITY=" + cookie
    }
)

# With session
session = requests.Session()
session.cookies[".ROBLOSECURITY"] = cookie
req = session.get(
    url="https://users.roblox.com/v1/users/authenticated"
)

# Uses the http.rb gem. Run "gem install http" on your terminal to install it
require "http"
require "json"

COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

response = HTTP.cookies({
    :".ROBLOSECURITY" => COOKIE
}).get("https://users.roblox.com/v1/users/authenticated")

puts response.body.to_s

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
    "https://users.roblox.com/v1/users/authenticated",
    {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
        },
    }
);

console.log(await response.json());

// npm install node-fetch
import fetch from "node-fetch"

const COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

const response = await fetch(
    "https://users.roblox.com/v1/users/authenticated",
    {
        headers: {
            Cookie: `.ROBLOSECURITY=${COOKIE};`,
        },
    }
);

console.log(await response.json());

/*
    Cargo.toml dependencies:
    reqwest = { version = "0.11.4" }
    tokio = { version = "1.11.0", features = ["macros", "rt-multi-thread"]}
*/
use reqwest::header::{HeaderMap, HeaderValue};
use reqwest::{Client, Method};

const COOKIE: &str = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

#[tokio::main]
async fn main() {
    let client = Client::new();
    let mut headers = HeaderMap::new();
    headers.insert(
        "Cookie",
        HeaderValue::from_str(&format!(".ROBLOSECURITY={};", COOKIE)).unwrap(),
    );

    let response = client
        .request(
            Method::GET,
            "https://users.roblox.com/v1/users/authenticated",
        )
        .headers(headers)
        .send()
        .await
        .unwrap();
    println!("{}", response.text().await.unwrap());
}

open System.Net.Http

let COOKIE =
    "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN"

[<EntryPoint>]
let main _ =
    async {
        use handler =
            new HttpClientHandler(UseCookies = false)

        use client = new HttpClient(handler)

        let message =
            new HttpRequestMessage(HttpMethod.Get, "https://users.roblox.com/v1/users/authenticated")

        message.Headers.Add("Cookie", $".ROBLOSECURITY={COOKIE};")

        let! response = client.SendAsync(message) |> Async.AwaitTask

        let! body =
            response.Content.ReadAsStringAsync()
            |> Async.AwaitTask

        printfn "%s" body
    }
    |> Async.RunSynchronously

    0

/*

You will need: 
consider >= 1.5.0
notable.http >= 0.5.0

fx service packages --install --registry CUSTOM_REGISTRY_URL_HERE --package consider@{<=1.5.0}
...

*/

using <"fx/internals/com.reflection">
using <"fx/internals/com.tasks">
using <"fx/com.consider">
using <"fx/com.notable.http">

using namespace com::notable;

const com::string* COOKIE = "_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_TOKEN";

// silly reflection for people below fx 90
[$->markBelow(com::reflection::kind_main_func)];
int main()
{
    http::request* request = http::init("https://users.roblox.com/v1/users/authenticated");
    request->method = http::GET;
    request->useDefaultRequest = false;
    request->headers->set(
        "Cookie", http::cookie::str(
        {
                { ".ROBLOSECURITY", consider::round_down_ref<consider::kind_const_ptr>(COOKIE, typeof(com::string*)) }
        })
    );

    // run at a scheduled time
    request->schedule(handler, com::tasks::threading::cancel_on_exception);

    // run now
    // do a stupid warning remover because fx90+ hates this for some reason.
#IF FX_VER > 90
#pragma warning disable TRIDER_JANDO4_B // Lazy initialization of time vector.
#endif
    request->invoke(handler, http::time::now());
#IF FX_VER > 90
#pragma warning restore TRIDER_JANDO4_B // Lazy initialization of time vector.
#endif
}

// More silly reflection for people < fx90
[$->markBelow(com::reflection::kind_callback_func | http::kind_response_callback)];
void handler(http::request* request, http::response* response, com::exception* ex)
{
    // only run the below code when response isn't null.
    $->wrapWhen((response != nullptr), [!!]()
    {    
        if (response->code == http::kind_success && response->status == http::OK)
        {
            // This will give you your response
            // use com.notable.http.extensions.json for the response json extensions.
        }
    });
}
This article is a part of the Accessing the Roblox API series.
< Handling errors | Authentication | X-CSRF-Token >
Retrieved from "https://robloxapi.wiki/w/index.php?title=Authentication&oldid=455"