API Keys and OAuth 2.0 tokens now supported on select API Sites

appletree008 · August 6, 2024, 10:16pm

[Update] October 17, 2024

appletree008:

Expanded API Support Now Available!

We’re thrilled to announce that we’ve rolled out support for 68 endpoints across 6 different APIs, each compatible with API Keys and OAuth 2.0 access tokens. You can explore the complete list of endpoints in our documentation.

Highlights

Badges API

Update badge details

More features coming

Develop API

Fetch and update Team Create settings and members

Additional features are in progress!

Followings API

Follow, unfollow, and fetch followings

Game Internationalization API

Update localized icons, names, and descriptions for badges, passes, developer products, and experiences

Manage an experience’s source language and supported languages

Groups API

Fetch and update group information, statuses, settings, and audit logs

More updates are on the way!

Localization Tables API

Fetch and update entries in localization tables

With these new endpoints, you can manage and update content for experience testing, releasing updates, and group management. And that’s not all - we’re working hard to release more endpoints soon, so stay tuned.

We’d love to hear your feedback

Your input is invaluable to us as we continue to work on more APIs. If you have suggestions or run into any issues, please don’t hesitate to share your thoughts with us!

Hi Creators,

We are excited to announce that we will start supporting API Key and OAuth 2.0 authentication on many of our existing public APIs. The first two API Sites released are Badges API and Followings API.

OAuth 2.0 provides a secure way for users to grant access to application owners to view the users resources. Instead of sharing cookies, users can now grant access to specific permissions required by third party applications. Developers can also leverage API Keys to access our APIs instead of dealing with the friction and risk associated with cookies.

Related to this change, HBA tokens are also being released to prevent attackers from using compromised cookies (see Introducing Account Session Protection for more details). With these two releases, our API ecosystem becomes safer and gives users more control over their data.

We have introduced UI changes that communicate that these API Sites are being considered legacy. The SLA for these APIs is the same. They do not follow the same patterns or standards as our new Open Cloud APIs, and they may change without notice and break your application. Please use with caution.

There are changes required by developers to use these new authentication types. The API subdomain is now apis instead of the previous product name. The route was also updated to include legacy-{productName}. For example, badges.roblox.com/v1 is now apis.roblox.com/legacy-badges/v1 for API Key and OAuth requests. Our existing cookie-based APIs remain the same. This change modernizes our APIs and increases parity with the existing Open Cloud APIs.

We are actively working on adding support for experience-related APIs and others. We created new Open Cloud Legacy docs and will keep it updated as new endpoints become available!

Please read our Open Cloud docs to learn more about creating API Keys and OAuth applications.

We are excited to see what you will build,
The Open Cloud Team

system · August 6, 2024, 10:26pm

This topic was automatically opened after 10 minutes.

ValiantWind · August 6, 2024, 10:27pm

Will API Key and OAuth 2.0 authentication support eventually be added for ALL of the existing and supported public APIs in the future?

2jammers · August 6, 2024, 10:30pm

Bulldo344 · August 6, 2024, 10:30pm

Amaznigggg!!! Thank you to the Open Cloud Team for pushing out these amazing updates!

A project I work on is currently using developer products, and the API is very very unreliable and it’s “internal server error” every other night/every night → Is developer products with Open Cloud planned?

ValiantWind · August 6, 2024, 10:31pm

I’m aware. I’m asking if they will be added for the rest of the existing apis in the future, or if there will be certain ones that will be excluded.

2jammers · August 6, 2024, 10:32pm

for best security practices, likely most. an engineer told me and a few others that some sort of asset upload API would be coming to open cloud as well

ChasingSpace · August 6, 2024, 10:41pm

Love it! Will we see Swagger documentation on other apis.roblox.com endpoints? I really enjoy them.

Additionally, will it ever be possible for members of a group to authenticate OAuth apps with permissions in the group? I can see this working by allowing the group owner to determine which scopes can be granted by role.

This would be appreciated as currently I don’t want to manually share API keys with our team members as we scale, and I attempted to work around this with OAuth and realized you need to own the group.

Because of this limitation, I’m planning on creating basically a wrapper for this by having my own web API that uses OAuth to check if you are within our group and have the correct role, and automatically creates an API key specifically for you with the proper permissions. I really don’t like the idea of sharing a single API key for everyone on our team (and it sounds a bit fun/wild to do).

ThePoinball · August 6, 2024, 10:50pm

Would be great to have all the Group API with that same feature!

MightyPart · August 6, 2024, 11:26pm

My Typescript Roblox API wrapper now supports these new(ish) endpoints.

LegacyBadgesApi docs → https://open.blox.wiki/cloud/legacyBadges/updateBadge
LegacyFollowingsApi docs → https://open.blox.wiki/cloud/legacyFollowings/universeFollowingsForUser

Install

npm i openblox

Example Usage

import "dotenv/config"

import { setConfig } from "openblox/config"
import { LegacyFollowingsApi, LegacyBadgesApi } from "openblox/cloud";

setConfig({ cloudKey: process.env.CLOUD_KEY })

;(async () => {
  
  const { data:followings } = await LegacyFollowingsApi.universeFollowingsForUser({ userId: 45348281 })
  console.log(followings)

  const { data:success } = await LegacyBadgesApi.updateBadge({ badgeId: 2124533401, description: "hello" })
  console.log(success)

})();

Abcreator · August 6, 2024, 11:36pm

Is there any reason why the read endpoints are seemingly not yet supported on the legacy parity API for badges?

Also, I noticed that the legacy APIs have much more generous rate-limits than the newer counterparts:

Legacy followings API:

10,000 requests, resets every 2 seconds.

New OpenCloud followings API:

500 requests, resets every 6 seconds.

While I doubt anyone is actually using all 10,000 requests every 2 seconds; the stricter rate-limits could cause problems for other legacy APIs which are hit more often. This adds friction for some developers who hit the endpoints quite often and makes the switch also have tradeoffs, hence making it not a “no-brainer” decision for such developers.

appletree008 · August 7, 2024, 3:50am

No, we will not support all of them. Some are considered too high risk (for example, those that spend Robux, like CreateBadge), and others will not be supported because they do not align with company priorities or are already supported in existing Open Cloud APIs.

appletree008 · August 7, 2024, 4:01am

Currently, there are no plans to onboard the Developer Products API due to various implementation details. However, if this issue persists, I encourage you to submit a bug report. Reliability is a priority for us, and any API that consistently fails should be investigated.

appletree008 · August 7, 2024, 4:12am

Is there any reason why the read endpoints are seemingly not yet supported on the legacy parity API for badges?

Yes, most of them do not require authentication, so we decided we should focus on onboarding other endpoints instead.

the stricter rate-limits could cause problems for other legacy APIs

Yes, we are setting rate limits on a case by case basis and intend to set them sufficiently high for all APIs.

PureBigMadBoatMan · August 7, 2024, 6:06pm

Just to follow up on this, @appletree008 is talking about adding OAuth and API key support for the existing dev products API.

Full Open Cloud support for dev products is on our radar and not ruled out; can’t make any promises either though. We’d like to do it, and feedback like this is a helpful prioritization signal.

@Bulldo344 FYI

colbert2677 · August 7, 2024, 8:00pm

I’m very happy to see progress regarding OAuth2 support and Open Cloud. I’m essentially just waiting to be able to write with group resources (bless that we have read now!) before I dip my toes in.

My number one use case has always been Roblox verification (allowing a Discord bot to cleanly and directly know a Roblox account for data tooling) and semi-automatic group management without the pain of cookies or “add this text to your description” type services.

appletree008 · August 8, 2024, 5:56pm

Love it! Will we see Swagger documentation on other apis.roblox.com endpoints? I really enjoy them.

This is TBD right now. Because we do have the existing docs (e.g. Swagger UI) we may not create the new apis.roblox.com docs for all API Sites. We will keep you updated.

Additionally, will it ever be possible for members of a group to authenticate OAuth apps with permissions in the group?

Are you asking about any scopes in particular? We may consider this in the future, but it is not on our roadmap this year.
Does the “Create group API keys” permission help solve your problem?

ChasingSpace · August 9, 2024, 1:28am

There are some particular ones that are useful (from dev perspective), such as asset, universe, universe-places, and universe-datastores. We make use of external tooling (Rojo, Lune, etc.) within our studio, and we’ve made things that help us with this workflow and move quickly.

Unfortunately, it is tedious to manually maintain API keys at scale (multiple groups, growing # of team members, granular permissions, etc.). I had hoped OAuth would get me like 90% there, but unfortunately not.

Thankfully yes, but in a weird way - I ended up creating my own API that you sign into with OAuth, it verifies your account, and creates API keys for you with the appropriate permissions based on who you are, what groups you’re in, and your roles in them.

Otherwise, no. That permission allows them to create an API key with any permission, which isn’t what I’m looking for here.

I’ve created a feature request thread so it can be better tracked internally (or something, at least): Allow group members to grant OAuth app permissions to groups they don't own

I look forward to really anything. I hammer a lot whenever these API things come up about documentation because there’s a lot going on under apis.roblox.com that simply has no docs at all.

Hopefully we can get a consolidated docs page (similar to the old api.roblox.com/docs) again sometime soon, especially as more formerly documented APIs get deprecated/removed and migrated there. I’ll create a feature request for this too if there isn’t one already, maybe that helps move this further.

appletree008 · August 21, 2024, 11:38pm

Hopefully we can get a consolidated docs page (similar to the old api.roblox.com/docs ) again sometime soon, especially as more formerly documented APIs get deprecated/removed and migrated there. I’ll create a feature request for this too if there isn’t one already, maybe that helps move this further.

We created a new docs section for legacy APIs here, and because of this, we will not be supporting the swagger docs on the apis.roblox.com domain going forward for these legacy APIs.

appletree008 · September 12, 2024, 10:14pm

Hi everyone,

We’re excited to announce that we’ve expanded our support for new API Sites! Game Internationalization API’s Badge, Developer Product, and Game Pass endpoints now support authentication through both API Key and OAuth.

For more details, please check out our documentation here.