Add support for Groups OpenCloud under group API keys

As it stands, right now, you must use an API key under your account in order to use the groups OpenCloud API.

Not only is there insufficient documentation on this, it is also a huge security risk.

A big part of using OpenCloud keys is the fact that security is extremely important for such sensitive actions that can be accessed through an endpoint.
The current work around for this is to create an account with the sole purpose of using an API key for ranking players. This is non sensical considering there already is support for groups using API keys for other APIs such as datastores, for example.

Please consider…
in the meanwhile I’ll be using an alternative account, prone to all the risks associated with using an account instead of an API key, for the purpose of ranking people in groups.

The response when using the endpoint under a group API key

{ "code": "UNAUTHENTICATED", "message": "Unsupported authorization method." }


@Hooksmith Piggy-backing off of your response in this thread, this feature request describes the “issue” I was referring to.

You can’t use group API keys with the new ranking API. Only user ones. I’m assuming this is because if it did support group API keys, there’d be no user to log the rank change on behalf of in audit logs and such. This is such a detriment to our workflows and a huge user safety concern aforementioned.

Edit: Oh, you’re here.

Thanks for bringing this up, we’re aware of some limitations around group API keys, will raise it with the team. Please use API keys owned by users for now.

Also worth nothing that the description of the relevant permissions hasn’t yet been updated to include a section about changing user ranks:

If I need to file a bug report here, let me know. Hoping you can pass it on without this happening though

It’s not going to be a goal of ours to immediately update all of these references overnight. You can expect various non-user-facing part of the product like this to still refer to it as “groups” at times, this is expected behavior. Especially for the scopes here, those are used in API key and OAuth logic by third parties, so if we were to change those scope strings suddenly, scripts written by the community might break.

It’s not going to be constructive to report that as a bug, we’re aware of it, thanks.

I think I miscommunicated my concern. I’m referring to the descriptions of the permissions, ex. changing this:

“This allows you to manage community join requests for your account”

to this:

“This allows you to manage community join requests and update user roles from your account”

The non-inclusion of this additional permission in the scope description is a safety concern, considering users might not know they’re giving 3rd party applications them when creating an API key.

Fully aware that the scope titles and other APIs that include “groups” in their core won’t be updated for some time, if ever, as obviously this would be a majorly breaking change

1 Like

How do you set things in groups with the API? Like roles, or shout, or ban/kick players with the API?

Any update on this? I just tried using this and discovered this thread as a result.

Still getting the following error message.

    "message": "Unsupported authorization method. Only OAuth tokens and User API keys are supported at this time."
1 Like

No update on this yet and it’s not scheduled to be worked on yet, there was minimal time between the last post and current date (considering holidays and code freeze periods etc.)

We’re aware of the unintuitive way this works currently and want to improve this in the future, but will take some time to think through and adjust.


Appreciate the response back.

For now, is there any way you could add warnings (whether it be on documentation) or on the config page like you have for the legacy API keys?

It would’ve saved me a bit of time if there were warnings about this.

Hey there! Has there been any update on this? I have a game hosted under a group, and as far as I’m aware I’m unable to use my bot to send messages to game servers using MessagingService without getting the group api key, which as previously stated won’t work. Thanks!

We’re investigating the problem mentioned in this thread, yes. It will take a while before we ship a solution here because we have to do this very carefully since it involves authorization logic changes across Roblox.

Can you work around it on your use case by creating a user-owned API key with the respective scope(s) for the time being?

Sadly I can’t, as the game is hosted under the group and not the group holder, so I can only give an API key to the experiences the group holder owns. I don’t mind waiting as this is the primary reason I needed it, so as long as it’s being worked on (even if it’s gonna be another few months), I don’t mind waiting. Thanks!