Add an Open Cloud endpoint for uploading Roblox Models and Plugins

As a Roblox developer, it’s currently impossible to upload plugins and models as .rbxm and .rbxmx files through the OpenCloud API. As a result, tools like Rojo are forced to utilize cookie-authenticated endpoints to upload models and plugins, which is fundamentally not safe. I will not explain why directly working with cookies is not safe since it’s a very well documented problem.

Rojo provides a command for uploading projects to Roblox. Specifically, they can be uploaded as plugins, models, or experiences. We are able to use the OpenCloud API for uploading experiences, and currently do so. However, we are unable to upload models or plugins through the OpenCloud API so we are forced to rely upon a legacy endpoint that accepts a .ROBLOSECURITY cookie as authentication.

For the sake of clarity, this is the endpoint we currently use: https://data.roblox.com/Data/Upload.ashx

We would like to upload files safely, and drop support for cookie-based uploading in its entirety. However, it’s not possible to do so at this time.

If Roblox were to add support for uploading rbxm and rbxmx files as plugins and models to the Open Cloud API, it would allow us to swap over to supporting it with no cookie support, and make everyone involved safer since they would not have to expose their cookie. This would also benefit those not using Rojo for the same reason if they wanted to upload assets to the cloud safely.

I realize that this is a very solution-oriented feature request. However, the solution is the problem in this case so I must apologize; there’s not many ways to say “we would love an API to do this” without saying “we want this specific thing”.

Thanks for the post, I have forwarded this concern internally.

Hey Dekkonot, Thanks again for posting this, and also some of your recent responses on Account Session Protection. We discussed this internally and wanted to give you a combined response on both for some more transparency.

To start, I want to reassure you that we will not seek to break existing workflows of Rojo such as the one you point out without an alternative endpoint, deprecation plan, and ample heads-up time to ensure no interruption to tooling developers or their users. That means we’ll be careful on which endpoints we turn on the “Account Session Protection” side-effects such that it will not impede workflows of tooling such as Rojo.

We also acknowledge your request here to put this on Open Cloud so that you can use a scoped token rather than a full session token. We will provide an alternative solution on Open Cloud at some point in the future, though we are still figuring out exactly what this solution will look like, so unfortunately I can’t give you a timeline here yet.

We’ll keep this thread open for comments. Thanks again!