Is it possible to make automated group payouts? Maybe with the Roblox API? I was thinking of making a code system sort of like https://hazem.gg, whenever you enter a valid code and your username it pays you robux. How does this work?
Yes. Anything that can be done with user input on the website can also be done automatically elsewhere.
The web API endpoint for group payouts is https://groups.roblox.com/v1/groups/{GROUPID}/payouts
. You have to send a POST request with the following payload format:
{
"PayoutType": "FixedAmount",
"Recipients": [
{
"recipientId": {USERID},
"recipientType": "User",
"amount": {AMOUNT_IN_ROBUX}
}
]
}
and the request has to include the group owner’s Roblosecurity cookie, and an X-CRSF-TOKEN
since it is sent with cookies.
Note that the group owner has to have 2-step verification turned off or else it will need to be authenticated with a 2FA token as well (there are services that allow you to get 2FA tokens with an API, though). Also, the user has have been in the group for more than 2 weeks to receive payouts, which might not work if you’re giving out Robux to members who only join the group to get it.
Hazem.gg works by programmatically buying a gamepass or asset, not through group payouts. If you don’t have an asset/gamepass with the amount it is trying to send you, it will fail.
I turned off 2 step verification, but even when you want to payout manually it says to turn on 2 step verification. And also I’ve tried this before with RoProxy and it always gives me an error saying “Challenge is required to authorize the request.”
Yeah so you’d have to use an API to get the two-step token and authorize the request in advance. Time-based One-time Passwords are a standardized, open-source spec which is why you can use many different authenticator apps to achieve the same result (and why they work offline). The code that you input to set it up, whether it’s with a QR code or by entering it manually, just acts as a “seed” or a key that can be used to generate and verify one-time codes.
There are a few services, that I won’t name here, that will use your seed to generate and return codes when you send a request to their API. You could then grab the returned code and authenticate the payout request. Not an ideal solution but I don’t think there’s any way to disable forced 2FA.
Why can’t you name one of these services?
Roblox probably doesn’t want you doing this. But if you google “generate otp from secret online” or “generate otp from secret api” you’ll find some.
I see, but what would I input as the secret key to generate a code?
You can get the secret key when you sign up for two-step verification. Go into security settings, enable “authenticator app,” then instead of scanning the QR code, click “Can’t scan the QR code? Click here for manual entry.” and it will show you the secret.
But won’t this key keep changing?
No. It stays the same. It will last forever unless you turn off 2-step.
You never have to rescan the QR code in your authenticator app. The QR code simply holds the key, so when you scan it, all the app does is save the secret. Then it’s able to use it to generate one-time codes whenever you need to.
Okay so I get the code, then how can I authorize the request? Do I set it as some sort of header for the request, or something else? Sorry, I don’t know that much about requesting and most things HTTP related.
Hey I know it’s been a while but I’m still curious, how I can authorize the request once I get the one time code?
EDIT 2: if you’re a new person looking for a solution, in this github repository I published a better explanation and an example python code that pays out robux from a group
Hi, if your request to “https://groups.roblox.com/v1/groups/{GROUPID}/payouts” returns error 403 and a “Challenge is required to authorize the request” message, you have to complete a 2fa challenge first, and send it with your request again.
In a “rblx-challenge-metadata” response header from the request with 403 error, you get a base64 encoded json string, containing “challengeId” key (i will refer to it as {CHALLENGEID} from now on). You also get a header “rblx-challenge-id”, with a different id, that you should save for later
You then have to make a POST request to “https://twostepverification.roblox.com/v1/users/{USERID}/challenges/authenticator/verify”, with a body containing this json: “{“challengeId”:”{CHALLENGEID}“,“actionType”:“Generic”,“code”:”{YOURCODE2FA}“}”
In a response to that, you should hopefully recieve this json:
“{“verificationToken”:”{VERIFICATIONTOKEN}“}”
After all that, you can finally send your validated request to “https://groups.roblox.com/v1/groups/{GROUPID}/payouts”, containing the same body as always, but with a few new headers:
-
rblx-challenge-id - you should enter here the challenge id from the response header of your initial post request (rblx-challenge-id)
-
rblx-challenge-type - just put “twostepverification” here
-
rblx-challenge-metadata - put a base64 encoded json here:
{“verificationToken”:“{VERIFICATIONTOKEN}”}“,“rememberDevice”:false,“challengeId”:”{CHALLENGEID}",“actionType”:“Generic”}
and thats it. you should now get a 200 OK message as a response, and your robux should be paid out. just remember that there are two separate challengeIds, and you shouldnt mix them up together.
EDIT:
before sending your final request with all confirmed challengeIds to groups.roblox.com, you need to send an additional request to https://apis.roblox.com/challenge/v1/continue, here’s my code in the JavaScript programming language:
let challengeMetadata = {"verificationToken":verifToken,"rememberDevice":false,"challengeId":actualChallengeId,"actionType":"Generic"}
let headersList = {
"Accept": "*/*",
"Cookie": ".ROBLOSECURITY="+process.env.RBLXKEY,
"X-CSRF-TOKEN": token,
"Content-Type": "application/json"
}
let bodyContent = JSON.stringify({
"challengeId": rblxChallengeId,
"challengeType": "twostepverification",
"challengeMetadata": JSON.stringify(challengeMetadata)
});
let response = await fetch("https://apis.roblox.com/challenge/v1/continue", {
method: "POST",
body: bodyContent,
headers: headersList
});
Hi, thank you very much for this. One problem I have with this is that the first link (https://twostepverification.roblox.com
) does not work when you replace roblox.com with roproxy.com, it gives me an error saying HttpError: DnsResolve
, is there any way around this?
Oh, I don’t use proxies for the roblox requests, so I won’t be able to help you with that. Maybe try using a different proxy that allows requests to this endpoint?
I can’t find any proxies that allows requests to that endpoint.
You can always make your own proxy with a simple php script on a cheap hosting
How can I do this, may you provide an example please?
Hey I know it’s been some time, but I got a question. When I post a request to groups.roblox.com for the payouts thing and I decode the challenge metadata I get the challengeId, but when I try to put that challengeId in the body of the other url it says “invalid challenge id”. Do you know why it happens? Am I even using the right challengeId? I also realised every time I post another request to groups url, the decoded challengeId that outputs changes.