API Endpoint refusing access to some users in group

I am using Lune to download a Place as an rbxl:

• Using the API endpoint: https://apis.roblox.com/asset-delivery-api/v1/assetId/{assetId}
• Authenticating via the x-api-key header.
• Relevant part of the script is here: DownloadPlace.luau (2.1 KB)

The Place I am trying to download:

• Was previously owned by myself
• Has since been moved to a Group
• I am not the owner of the Group

It does not work reliably:

• Request to download the Place with an API key from my own account are successful.
• Requests made using API keys from the Group, or from other users in the Group are not successful.

The users who cannot access it:

• Have been granted edit permissions via studio
• Have been assigned a Role in the Rroup with the “Grant all permissions” property enabled

I have confirmed in all cases that the API keys are correct, the permissions match, and the correct keys are being used by the script.

Is this a bug with the API? How do I grant permissions to other users of the group to allow them to download the place via the API?

I have done some further testing with various API endpoints and it seems there is some misleading info in the docs.

Here are my results from trying to get info about a place which was migrated from my own account to the group:

• Endpoint: https://apis.roblox.com/asset-delivery-api/v1/assetId/105318442004256
• Docs: can’t find them for this endpoint, but it was listed in this post: https://devforum.roblox.com/t/creator-action-required-new-asset-delivery-api-endpoints-for-community-tools/3574403
  • Usefulness: Returns useful data with location to download file from - note this doesn’t use the URL found in the Legacy Assets Asset delivery v1 page.
  • My user API key: Success
  • Other user API key: 409 User is not authorized to access Asset
  • Group API key: 0 Forbidden

• Endpoint: https://assetdelivery.roblox.com/v1/assetId/105318442004256
• Docs: Asset delivery v1 | Documentation - Roblox Creator Hub
• Results:
  • Can’t get this one to work at all. Doesn’t seem to accept the x-api-key header, but works in-browser with Cookie.
  • My user API key: 409 User is not authorized to access Asset
  • Other user API key: 409 User is not authorized to access Asset
  • Group API key: 409 User is not authorized to access Asset

• Endpoint: https://assetdelivery.roblox.com/v2/assetId/105318442004256
• Docs: Asset delivery v2 | Documentation - Roblox Creator Hub
• Results:
  • Can’t get this one to work at all. Doesn’t seem to accept the x-api-key header, but works in-browser with Cookie.
  • My user API key: 409 User is not authorized to access Asset
  • Other user API key: 409 User is not authorized to access Asset
  • Group API key: 409 User is not authorized to access Asset

I have found a solution.

It appears that users still require the legacy permissions to be able to access this API endpoint. However, adding these permissions to a personal key does not solve the issue. Adding these permissions to a group key is not currently possible.

The solution was to give the user full Admin rights via the legacy permissions section:

• In create.roblox.com head to → View as → Group Name
• Under Collaboration → Roles → Legacy Rolls → Click the external link icon next to it
• In the Legacy Roles page, choose the Members link on the left
• Under the users card select Admin from the Role dropdown

This seems to grant the legacy:write permission, allowing the user access to the asset via the endpoint.

Obviously it’s not ideal to need to elevate the user to a full Admin, but until the API perms are updated to properly support Groups this workaround will do.