[Public Beta] Building Your Applications with OAuth 2.0

Updates Announcements
#1

Hi Creators,

We are thrilled to announce that everyone can now create their own OAuth 2.0 applications! This will allow you to make external websites, tools, bots, and other software that not only lets users sign in with their Roblox user identity but also get their consent for your apps to access their Roblox resources.

Check out this video to see how OAuth 2.0 works:

Open Cloud strives to unleash a vibrant 3rd-party application ecosystem to serve the diverse needs of the community. It includes a rich set of standardized APIs and an authorization/authentication framework that allows these APIs to access Roblox Cloud. We started with API keys as the auth method so you can write your own scripts and tools. OAuth2.0, on the other hand, allows you to build applications that can be used by the rest of the community.

Getting started is easy, here’s how you can create an app:

Note: You must be ID Verified to be able to create OAuth 2.0 apps.

OAuth 2.0 & Available APIs

OAuth 2.0 is an industry-standard protocol. It provides a framework for users to grant limited access to their protected Roblox resources, such as their inventory, to another application without sharing their username and password. You can request to access the following permissions (a.k.a. scope in OAuth terminology) in the app edit page:

Scope Applicable API Functionality Use Case
openid GET /oauth/v1/userinfo Get Roblox User ID Validate a user’s Roblox identity, or “Sign in with Roblox” feature
profile GET /oauth/v1/userinfo Get a user’s username, displayname, profile link, etc Display such user info in your app
asset:read GET assets/v1/operations/{operationId} Read assets or asset related operations that are accessible to the user Read moderation status of an asset. Check the asset creation operation result.
asset:write POST assets/v1/assets
PATCH assets/v1/asset/{assetId} 		Create and update assets on the user’s behalf Create assets such as images using external tools and batch upload
universe-messaging-service:publish POST messaging-service/v1/universes/{universeId}/topics/{topic} Send messages to a topic of the cross-server messaging service LiveOps, e.g. launch events using a web portal

Wait, did we just say the Asset Creation API is available in OAuth 2.0? Learn more here. We’ll keep adding new APIs to OAuth 2.0 to unlock additional features that you can build. Feel free to reply with what APIs you’d need most. We’ll take that into account!

App Review & Publishing

To keep users safe from malicious apps, there is an upfront review required for OAuth 2.0 apps. Here’s how it works:

  • By default, your app is in “Private mode” with a limit of 10 authorized users. You can test and debug your apps with your team members in this mode.
  • Once you are ready to have more users, publish it in the app edit page.
  • Our moderators will review your app and make a decision (approval or rejection). You will get emails regarding the results within a few days.
  • If approved, your app is in Public mode without any user limit. Otherwise, you can modify your app and submit it for review again.
  • For all apps in public mode, any changes on the app edit page will need to be reviewed and approved again before the changes are exposed to your app users. We recommend cloning your app to test and debug before publishing again.

Oauth review flow

Check out this guide to learn more about the process. We’ll continue making further optimizations such as allowing you to add collaborators who can test the app, rather than the arbitrary 10-user limit. Stay tuned!

OAuth 2.0 has been a massive effort for us. We’d like to thank everyone who participated in the private beta program and offered their invaluable feedback! The program will continue being active with all new features and APIs first released there. If you’re interested in early access and offer us feedback, click here to apply.

This is it! Now the sky is your limit! We can’t wait to see what you’ll build! To get started, go to the Creator Dashboard to create your first app! Check out this overview to learn more about OAuth 2.0 and how to build an app.


Cheers,
The Roblox Creator Services Team

Update

09/20/2023

  • When profile scope is requested, the OpenID response now contains the user’s avatar thumbnail! You can use it to display in your app

09/12/2023

  • OAuth2 now supports CORS for frontend only apps! You can send requests from any web page without needing a proxy or other tools
244 Likes
Oauth2/SAML for ROBLOX (Authenticate/Login with ROBLOX)
Presenting Rojobs: Destroyer of Talent Hubs
Log in with ROBLOX, OAuth, SSO
OAuth 3rd-party applications can not be Managed in Settings
External application API
Mechanisms for automated access to (part of) the web API through bot accounts/tokens
Any ideas for a custom level loading system?
Updating Creator Roadmap - 3 Months Later
What we announced at RDC 2023
What are you working on currently? (2024)
Announcing general availability of Open Cloud OAuth 2.0
Reference Roblox Integration for Blender
Authorize account access
#2

This topic was automatically opened after 10 minutes.

#3

Nice update, the only thing that I can’t stop thinking about is what if someone makes a website then you connect you account but a few months later they just take all your avatar items and stuff

12 Likes
#4

This is a very awesome update. I’ve already had the chance to test out Oauth2 and it has helped speed up development of my web app tenfold.

Before it was a pain to authenticate roblox users with your service since you had to use hacky workarounds such as telling your users to put some sort of code into their roblox profile to prove ownership of their account. On top of this you also had to create a email and password system, which is not an easy thing to do.

all in all, I’m excited to see the things people will do with Roblox OAuth in the future. :sparkles:

19 Likes
#5

OAuth2 requires consent for the other application to be able to perform actions on your account.
It also depends on the availability of API’s to actually be able to read/write such information.

5 Likes
#6

Yes, I know but what if they ask to make changes to your account or something then your account is just all gone

4 Likes
#7

They wouldn’t be able to delete your account and what not, and even if they could they would have to request the “delete your account” scope, which is shown on the consent screen.
Also these apps go through manual review when they need to be published, so you can expect some sanity checks from Roblox their end.

9 Likes
#8

that’s not how this works, it has no access to your robux or items

5 Likes
#9

A question though, will the old API’s (like https://users.roblox.com/ etc), also be accessible using the open cloud API key/OAuth authentication, or will we have to wait until those re-appear in some fashion as part of the open cloud?

3 Likes
#10

Hey I filled out the Alpha form to get unlimited users but haven’t gotten a response. Should I resubmit with the new flow or could someone take a look at it?

3 Likes
#11

they have been consistently releasing updates lately

4 Likes
#12

The second video is broken

Also

Why tho

2 Likes
#13

Those APIs continue to be cookie-based only. I recommend using the userinfo endpoint mentioned in the announcement to get user information using an OAuth token.

If you want additional OAuth scopes feel free to explain your use cases here and they will be considered. You can also post in #feature-requests:website-features about this if this announcement is locked in the future.

1 Like
#14

We enforce ID verification as one method of warding off bad actors and abusive apps that either contain inappropriate content or misuse the permissions that were granted to them. It asserts extra accountability on the app developers.

12 Likes
#15

Please submit via the new flow!

3 Likes
#16

although I kind of agree, I think people should learn by themselves the security risk instead of having to impose them this need, it’s like spoonfeeding them because they can’t secure their account.

#17

ID verification is enforced on those making OAuth apps, not people using the apps. You only need to be ID verified to create an app.

#21

This is excellent news! I’ve been waiting for this to be public for a while.

As an aside, would it be possible to get the OIDC Discovery endpoint, as some OIDC libraries recommend (or even require) this?

Edit: helps to read the docs :sweat_smile:

I assume in future this is how every high profile tech company will log into their mission critical datacentres.

8 Likes
#22

Are required permissions able to be changed without user notice? This was a problem with chrome extensions for a while and it could be an issue for user privacy.

#23

Check out: https://apis.roblox.com/oauth/.well-known/openid-configuration

4 Likes