A list of hidden and undocumented apis/endpoints

RakNetProtocol · November 8, 2020, 1:42pm

This list is not in order, in fact it’s out of order, they’ve came from roblox studio, roblox client and many resources on the main site.

Allow: GET

This will return a json version of your usersettings, and will expose some hidden propeties such as clientIP and userblock models
/my/settings/json

Parameters

Type	Name	Value Type	Description

Allow: GET

This will return a list of accepted countries that your account can have.
/account/settings/countries

Parameters

Type	Name	Value Type	Description

Allow: GET

This will return the current IsAccountRestrictionsEnabled boolean.
account/settings/account-restriction

Parameters

Type	Name	Value Type	Description

Allow: POST

This endpoint handles the response for gamecards when purchasing with them.
/gamecard/incommhandler.ashx

Parameters

Type	Name	Value Type	Description
Query	pin	int64	The pin of the gamecard you are using.
Query	cachebuster	int16	Not sure.

Allow: GET

This endpoint checks if the ToS should be shown
/usercheck/show-tos

Parameters

Type	Name	Value Type	Description
Query	isLicensingTermsCheckNeeded	Boolean	Not sure.

Allow: GET

Fun captcha cdn loader.
/fc/api/

Parameters

Type	Name	Value Type	Description

Allow: POST

Redeems a gift card (?)
/upgrades/redeem

Parameters

Type	Name	Value Type	Description
Query	ap	int16	Not sure.
Query	pm	String	Payment-Method.
Query	selectedUpsellProductId	int32	ProductId

Allow: POST

Payments using roblox gift cards
/v1/paymentmethods/redeemCard

Parameters

Type	Name	Value Type	Description
Query	ap	int16	Not sure.

Allow: POST

Payment methods.
/v1/paymentmethods

Parameters

Type	Name	Value Type	Description
Query	ap	int16	Not sure.

Allow: POST

Purchases using PayPal
/v1/paymentmethods/paypal

Parameters

Type	Name	Value Type	Description
Query	ap	int16	Not sure.

Allow: POST

Purchases using creditCard
/v1/paymentmethods/creditCard

Parameters

Type	Name	Value Type	Description
Query	ap	int16	Not sure.

Allow: GET

Robux product policy.
/universal-app-configuration/v1/behaviors/robux-product-policy/content

Parameters

Type	Name	Value Type	Description

Allow: GET

Premium features products
/v1/products

Parameters

Type	Name	Value Type	Description

Allow: GET

Premium features user subscriptions
/v1/users/{userId:long}/subscriptions

Parameters

Type	Name	Value Type	Description
Path	userId	int64	UserId of the user you wish to find the subscriptions of, the must be the authenticated user.

Allow: GET

Analytics tracing image, will redirect to https://ssl.kaptcha.com/logo.htm
/k/logo

Parameters

Type	Name	Value Type	Description
Query	m	String	Not sure.
Query	s	String	Not sure.

Allow: GET

Returns your current private message privacy.
/account/settings/private-message-privacy

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current content-restriction status
/v1/content-restriction

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current game chat privacy.
/account/settings/game-chat-privacy

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current app chat privacy.
/account/settings/app-chat-privacy

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current follow me privacy.
/account/settings/follow-me-privacy

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current Private server invite privacy.
/account/settings/private-server-invite-privacy

Parameters

Type	Name	Value Type	Description

Allow: GET

Returns your current Account Country.
/account/settings/account-country

Parameters

Type	Name	Value Type	Description

Allow: POST

Content delivery.
/WebResource.axd

Parameters

Type	Name	Value Type	Description
Query	d	String	Not sure.
Query	t	String	Not sure.

Allow: GET

Get the current users transactions.
/My/money.aspx/getmytransactions

Parameters

Type	Name	Value Type	Description

Allow: GET

Blog’s favicon cdn
/wp-content/themes/roblox/favicon/manifest.json

Parameters

Type	Name	Value Type	Description
Query	v	int16	Has no affect over the response.

Allow: GET

Get the recent items that your avatar worn.
/v1/recent-items/all/list

Parameters

Type	Name	Value Type	Description

Allow: GET

Get’s the userId’s inventory by the filter.
/users/inventory/list-json

Parameters

Type	Name	Value Type	Description
Query	assetTypeId	int16	The type of asset to filter by.
Query	cursor	String	If the response has multiple pages, use this to paginate towards the next set of response data.
Query	itemsPerPage	int16	How many items per page to show, cannot go above 100.
Query	pageNumber	int16	Similar to pageCursors, except you are using an absolute number unlike an array of characters.
Query	userId	int64	The userId of the user you wish to view the inventory of, they must have it on public or else this will respond with a 401.

Allow: GET

Get a list of settings groups
/account/settings/settings-groups

Parameters

Type	Name	Value Type	Description

Allow: GET

The user’s giftcard credit
v1/credit

Parameters

Type	Name	Value Type	Description

Allow: POST

Payment via vantiv
/upgrades/payment/vantiv

Parameters

Type	Name	Value Type	Description

Allow: POST

Report event when it happens, analytics once again.
/game/report-event

Parameters

Type	Name	Value Type	Description
Query	name	String	Name of the event to report, so far I’ve recorded LoginFunCaptcha_Success, WebsiteLogin_Success, WebsiteLogin_Attempt, WebsiteLogin_FirstAttempt, WebsiteLogin_Captcha, LoginFunCaptcha_Triggered, Vantiv_IFrameRequest_Attempt, Vantiv_IFrameRequest_Sucess, WebsiteAccountSettingsPolicy_Attempt, WebsiteAccountSettingsPolicy_Success, XsollaCreditDebitCards_Succeeded, LoginFunCaptcha_Initialized and LoginFunCaptcha_Displayed.

Allow: POST

Report event with statistics when it happens, analytics once again.
/game/report-stats

Parameters

Type	Name	Value Type	Description
Query	name	String	Name of the event to report, so far I’ve recorded ResourcePerformance_Loaded_funcaptcha_Computer, LoginFunCaptcha_SolveTime_Success.
Query	value	Number	Statistic value to report with.

Allow: POST

Roblox support statistics tracking
/hc/tracking/events

Parameters

Type	Name	Value Type	Description
Query	locale	String	Locale of language to format the response in.

Allow: GET

Returns nothing but reports an event. Basically set’s up something for the .PLATFORM.ID
/pe

Parameters

Type	Name	Value Type	Description
Query	t	String	“Topic” to report analytics towards. Eg `client`
Query	ctx	String	“Context” to report analytics towards. Eg `ABTestService`
Query	evt	String	“Event” to report analytics towards. Eg `ABTestStatus_Pending`
Query	SD.Platform.CT	String	“PlatformCT” to report analytics for.
Query	.Platform.ID	String	“PlatformID” to report analytics for.

Allow: GET

Returns an image and reports an event. Basically set’s up something for the STUDIOSID
/studio/e.png

Parameters

Type	Name	Value Type	Description
Query	studioSid	String	StudioSessionId to report analytics for.
Query	clientID	String	ClientID to report analytics for.
Query	userID	int64	userId of user to report analytics for.
Query	placeID	int64	PlaceId of place to report analytics for.
Query	category	String	“Category” to report analytics towards. Eg `Event`
Query	evt	String	“Event” to report analytics towards. Eg `StudioUserAction`
Query	label	String	“Label” to report analytics towards. Eg `gridSizeToFourAction`
Query	value	Number	Value of some sort of statistic to report with.
Query	platform	String	The platform to report analytics towards. Eg `64bit`

Allow: POST

Increment some sort of server statistic.
/v1.1/Counters/BatchIncrement

Parameters

Type	Name	Value Type	Description
Query	apiKey	String	apiKey in order to report analytics. Current one is `76e5a40c-3ae1-4028-9f10-7c62520bd94f`

Allow: POST

Add batch sort of server statistics.
/v1.0/SequenceStatistics/BatchAddToSequencesV2

Parameters

Type	Name	Value Type	Description
Query	apiKey	String	apiKey in order to report analytics. Current one is `76e5a40c-3ae1-4028-9f10-7c62520bd94f`

There will be a lot more endpoints added to this when I remember how to reproduce them to get the parameters.

RakNetProtocol · November 8, 2020, 5:50pm

I updated the list and added a lot more endpoints, if you have anymore send them here and I’ll add them.

green271 · November 8, 2020, 6:23pm

https://billing.roblox.com/v1/credit is for your giftcard credit balance

RakNetProtocol · November 8, 2020, 6:30pm

A alright, thank you for brining this to my attention.

RakNetProtocol · November 8, 2020, 7:40pm

RakNetProtocol · November 8, 2020, 8:05pm

Another analytics endpoint:
https://ecsv2.roblox.com/client/pbe

it requires some query params or something

RakNetProtocol · November 8, 2020, 8:10pm

The above is also persistent on /studio/pbe

RakNetProtocol · November 9, 2020, 8:27pm

cxmeels · November 13, 2020, 4:03pm

I’m actually quite curious what gold.roblox.com is. I inspected Studio traffic using Wireshark today and it seems to be doing something with that endpoint when calling Players:GetUserIdFromNameAsync.

My first guess was that gold.roblox.com is the actual endpoint for API requests, and other API endpoints (e.g. users, auth, etc.) are just aliases for it that setup the request internally. Which then made me think silver.roblox.com is the old API using ASP.

metatablecatmaid · November 13, 2020, 4:23pm

Adding these because it’s useful, these act as replacements for .roblox.com.

ModManager uses it’s S3 bucket to download sitetest branches.
https://sitetest1.robloxlabs.com
https://sitetest2.robloxlabs.com
https://sitetest3.robloxlabs.com (exists but doesn’t have an /index page)

https://s3.amazonaws.com/setup.sitetest2.robloxlabs.com/version.txt

also a lot of these ‘hidden’ APIs do have partners in their relative subdomain, you shouldn’t be using the assetgame APIs where possible

RakNetProtocol · November 13, 2020, 5:22pm

What was the endpoint it was using? Because I know there are tracker pixels on this site.
http://gold.roblox.com/_/_/1px.gif

cxmeels · November 13, 2020, 5:24pm

I don’t know. Wireshark only provides the hostname for encrypted packets. I tried Fiddler too, but it doesn’t pick up requests made from within the context of a DataModel; only requests made by Studio itself.

RakNetProtocol · November 13, 2020, 5:25pm

I know robloxlabs, but in the most recent dump I had I only dumped *.roblox.com subdomains.
There are subdomains on robloxlabs such as https://setup.opstest1.robloxlabs.com/.
These endpoints are not entirely intended to be used, they are only here as a form of resource. And also I know that the ones that don’t have a /index
https://ash1.statping.aws.robloxlabs.com/ is one

RakNetProtocol · November 13, 2020, 5:33pm

Also, are you directly filtering wireshark towards one protocol? Or are you just watching the requests with no filters?

cxmeels · November 13, 2020, 5:45pm

I didn’t apply any filters. Just captured traffic on my Ethernet adapter. I usually use Fiddler, not Wireshark. I just knew Wireshark can usually see things Fiddler can’t.

RakNetProtocol · November 13, 2020, 5:46pm

Such as TCP and TLS, could we push this to a PM to discuss more?

RakNetProtocol · December 3, 2020, 8:14pm

So after days of painful searching and crying to myself I have uncovered a couple of 6000 subdomains on *.roblox.com and *.robloxlabs.com, keep in mind I am not guaranteeing that these aren’t dead yet. Any of them that timeout, they don’t have index pages.

RakNetProtocol · December 3, 2020, 8:17pm

Almost all gametests are dead btw, I believe gametest4 still exists

metatablecatmaid · January 11, 2021, 4:10pm

redirects to

RakNetProtocol · January 12, 2021, 7:52pm

Why is this relevant to me? Please explain