API Endpoint refusing access to some users in group

stom_dev · April 1, 2025, 7:50pm

I am using Lune to download a Place as an rbxl:

Using the API endpoint: https://apis.roblox.com/asset-delivery-api/v1/assetId/{assetId}
Authenticating via the x-api-key header.
Relevant part of the script is here: DownloadPlace.luau (2.1 KB)

The Place I am trying to download:

Was previously owned by myself
Has since been moved to a Group
I am not the owner of the Group

It does not work reliably:

Request to download the Place with an API key from my own account are successful.
Requests made using API keys from the Group, or from other users in the Group are not successful.

The users who cannot access it:

Have been granted edit permissions via studio
Have been assigned a Role in the Rroup with the “Grant all permissions” property enabled

I have confirmed in all cases that the API keys are correct, the permissions match, and the correct keys are being used by the script.

Is this a bug with the API? How do I grant permissions to other users of the group to allow them to download the place via the API?

stom_dev · April 1, 2025, 8:55pm

I have done some further testing with various API endpoints and it seems there is some misleading info in the docs.

Here are my results from trying to get info about a place which was migrated from my own account to the group:

Endpoint: https://apis.roblox.com/asset-delivery-api/v1/assetId/105318442004256
Docs: can’t find them for this endpoint, but it was listed in this post: https://devforum.roblox.com/t/creator-action-required-new-asset-delivery-api-endpoints-for-community-tools/3574403
- Usefulness: Returns useful data with location to download file from - note this doesn’t use the URL found in the Legacy Assets Asset delivery v1 page.
- My user API key: Success
- Other user API key: 409 User is not authorized to access Asset
- Group API key: 0 Forbidden

Endpoint: https://assetdelivery.roblox.com/v1/assetId/105318442004256
Docs: Asset delivery v1 | Documentation - Roblox Creator Hub
Results:
- Can’t get this one to work at all. Doesn’t seem to accept the x-api-key header, but works in-browser with Cookie.
- My user API key: 409 User is not authorized to access Asset
- Other user API key: 409 User is not authorized to access Asset
- Group API key: 409 User is not authorized to access Asset

Endpoint: https://assetdelivery.roblox.com/v2/assetId/105318442004256
Docs: Asset delivery v2 | Documentation - Roblox Creator Hub
Results:
- Can’t get this one to work at all. Doesn’t seem to accept the x-api-key header, but works in-browser with Cookie.
- My user API key: 409 User is not authorized to access Asset
- Other user API key: 409 User is not authorized to access Asset
- Group API key: 409 User is not authorized to access Asset

stom_dev · April 2, 2025, 2:05pm

I have found a solution.

It appears that users still require the legacy permissions to be able to access this API endpoint. However, adding these permissions to a personal key does not solve the issue. Adding these permissions to a group key is not currently possible.

The solution was to give the user full Admin rights via the legacy permissions section:

In create.roblox.com head to → View as → Group Name
Under Collaboration → Roles → Legacy Rolls → Click the external link icon next to it
In the Legacy Roles page, choose the Members link on the left
Under the users card select Admin from the Role dropdown

This seems to grant the legacy:write permission, allowing the user access to the asset via the endpoint.

Obviously it’s not ideal to need to elevate the user to a full Admin, but until the API perms are updated to properly support Groups this workaround will do.

system · April 16, 2025, 2:06pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.