401 (Unauthorised) when trying to change group shout using Roblox Api

This seems to be the right category for this.

Im currently trying to make a python program to change the group shout of a Roblox Group.

I keep getting a 401 (unauthorised) error even though I am sending through my .ROBLOSECURITY cookie.

I have been working on this for a few hours and I dont know what to do.

My code looks like this:

cookie = f".ROBLOSECURITY={os.getenv('ROBLOXTOKEN')}" # change this to your cookie value
        group_id = 7846272 # change this to your group ID
        url = "https://groups.roblox.com/v1/groups/" + str(group_id) + "/status" # construct the URL for the group API
        headers = {"Cookie": cookie} # create a dictionary with the cookie header
        data = {
                  "message": "string"
        response = requests.patch(url, json=data , headers=headers)

1 Like


It seems like my .ROBLOSECURITY token is expiring or something like that, because whenever generate a new cookie, I get signed out of the session when I use the cookie in a request.

Account Session Protection is off on the account:

I think there was some additional header that needed to be added. Possibly X-Csrf-Token?


If that’s the case the failed request will most likely return an x-csrf token within the response headers.

1 Like

Hey there! If you’re 100% sure that your .ROBLOSECURITY is valid, your account has access to group shout and the group ID is correct (these 2 would throw a different error anyway), it’s the absence of an X-CSRF-Token that is causing the issue. (Evident from the code you provided anyway)

What is an X-CSRF-Token? A CSRF (Cross-Site Request Forgery) token is something that is used by the server of a website and your browser to make sure that you’re not a malicious user trying to post data into a server. A server will do this by generating a token when you visit the URL, and sending it back to you during browser loading, then when you say, try to send a reply to a thread maybe on that webpage, the X-CSRF-Token (in Roblox’s case) is checked to make sure you’re a valid connection.


How do you generate one? The method I use with my internal systems, is I send a POST request to http://auth.roblox.com with my .ROBLOSECURITY, and if successful, it returns an X-CSRF-TOKEN header. Once I have that header, I cache it in memory on my program. Every time I send a patch, post, put, or delete request (etc) to Roblox, I send the request with that token. If the response is Token Validation Failed, I refresh the X-CSRF-Token in memory and send the request a second time. If it fails after the second time, then something else is wrong. This is the method I do it, it’s the method that Noblox.js does it. Here’s an example below, it’s in JS but the concept is the same.

async patch<K>(url: string, data?: {[key: string]: any}): Promise<AxiosResponse<K, any> | AxiosError> {

    data = await this.construct(data); // Constructing the URL with the headers
    var body = data.body || {};
    delete data.body; // Stuid axios stuff, ignore

    var patch = await axios.patch<K>(url, body, data).catch(err => err); // First attempt
    const response = patch.statusText || (patch.response && patch.response.data && patch.response.data.message);
    if (response && response.includes("Token Validation Failed")) {
        this.cache.refreshCSRFToken(); // X-CSRF-Token refresh
        patch = await axios.patch<K>(url, body, data).catch(err => err); // Second attempt
    return patch;

Send a POST request to http://auth.roblox.com with your .ROBLOSECURITY, it will return a X-CSRF-Token, send that with the group shout in headers. If the shout fails the first time for the EXACT reason of Token Validation Failed OR XCSRF Token Validation Failed (Noblox.js includes this but I’ve never seen this error before), refresh the X-CSRF-Token and attempt the request again. If it still fails, something else is wrong.

1 Like

This might be the solution! Where would I find the X-CSRF-Token, would it be in the headers?
I don’t understand everything about web requests and APIs as I’m still pretty new to this all, your code example was pretty helpful, but it looks like you are sending a PATCH request in your code, where you have mentioned a POST request everywhere else.

Are you doing this on your local machine or a hosting service?

1 Like

I’m hosting this project on Replit.

It won’t work then. Your cookie is region locked and pretty sure replit uses dynamic ip meaning that all the new security updates are blocking you from doing this

1 Like

Hmm, OK then. Do you have any other methods to help with this?
(Roblox security updates can be a hassle)

I heard of a groups cloud API but idk much about it

Alright, I will mark you other post as the solution for now, I might try to find some sort of workaround in the future.

1 Like

Just found it

1 Like

Isn’t that just Group Reading? I need to write.

It says you can do group shouts near the bottom

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.