Authorisation denied for request

Hey there!

I’m currently trying to make a script with which it’d be possible to send Messages to other users - however roblox keeps returning the error: “Authorization has been denied for this request.”.

I have no clue as to why this is happening, I send both the roblosecurity cookie and the x-csrf-token in the request.

My script (node.js)

        async function token() {

            let suc = undefined
            let xtoken = cachedToken.x_csrf

            await axios.post('https://auth.roblox.com/v2/login', {
                headers: {
                    "Cookie": `.ROBLOSECURITY=${config.cookie}`,
                    "X-CSRF-TOKEN": xtoken
                }
            }).then((resp) => {
    
                suc = true
    
            }).catch((e) => {

                console.log(e.response.headers)

                if (e.response) {

                    if (e.response.headers) {

                        if (e.response.headers[`x-csrf-token`]) {

                            xtoken = e.response.headers[`x-csrf-token`]

                        }

                    }

                }

                suc = false

            })

            return { suc, xtoken }

        }

        let tokenData = await token()

        console.log(tokenData)

        if (tokenData.xtoken) {

            await axios.post(`https://privatemessages.roblox.com/v1/messages/send`, {
                headers: {
                    "Cookie": `.ROBLOSECURITY=${config.cookie}`,
                    "X-CSRF-TOKEN": tokenData.xtoken
                },
                body: {
                    subject: "fromcode",
                    body: "some testing body",
                    recipientId: 997900401
                }
            }).then((resp) => {

                resp = resp.json()
                console.log(resp.data)

            }).catch((err) => {

                console.log(err.response.data)
                console.log("err")

            })

        } else {



        }

If anyone knows what I did wrong, please let me know!

Thanks for reading!

Which API request gives you this error? It might be that you try to login which possibly changes the cookie or modifies authorization. I personally wouldn’t even bother with the login API as a cookie is sufficient enough to basically do anything. Your error most definitely comes from authorization, and although I’d think it would be the x-csrf-token, you have provided it so I think it has to do with you trying to login. If I am correct, the login API requires another API call to get a Captcha and a second one to verify. This is very confusing and I don’t know how exactly it works, so just scrap the authorization part all-together and use cookie instead. (Basically, you can make any calls you want by just providing the cookie and the x-csrf-token wherever needed)

the login api is only there to get the x-csrf-token, which is required for the privatemessages api

You don’t need the login API for the x-csrf-token. You can make two calls to the privatemessage API in order to retrieve it. The first one is used to retrieve the x-csrf-token and the second is used to make the call. I made a topic while back asking why I kept getting an error, and I realized the existence of x-csrf-token, which was not documented anywhere in Roblox. Here is a sample code that utilizes a recursive function that gets the x-csrf-token and then attempts to call again (this was in Python):

I am pretty sure your authorization attempt is messing you up as it is incomplete and registers the cookie as invalid. Additionally, it could be that your cookie might be invalid. That can happen to. In short, just recursively call your function for the x-csrf-token and then attempt to call it again with the x-csrf-token. That should work for as long as your cookie is valid.

I have tried retrieving the x-csrf token from the privatemessages but the server returned none.

Then are you sure your cookie is valid? Authorization denied is usually because you have invalid authorization, which in our case would be your cookie. I find it odd that it wouldn’t return an x-csrf-token. I’ll check it out on my bot, but do check out if your cookie is valid.

the cookie is valid, other requests work just fine.

Something must be off with your code then. I tried using the API myself and it works just fine:

async function sendRobloxMessage(data, retry = true, token = XCSRFTOKEN) {
    let response = await axios({
        method: "POST",
        url: `https://privatemessages.roblox.com/v1/messages/send`,
        data: data,
        headers: {
            "Cookie": `.ROBLOSECURITY=${cookie}`,
            "Content-Type": "application/json",
            "Accept": "application/json",
            "X-CSRF-TOKEN": token
        },
        validateStatus: function () {
            return true;
        }
    })
    if (response.status == 403) {
        try {
            let JSON = response.data
            responseCode = JSON["errors"][0]["code"]
            if (responseCode == 0) {
                if (retry == true) {
                    return await sendRobloxMessage(data, false, response.headers["x-csrf-token"])
                }
            }
        } catch (error) {
            console.error(error)
            return response
        }
    } else if (response.status == 200) {
        XCSRFTOKEN = token
        let JSON = response.data
        if (JSON["success"] && JSON["success"] == true) {
            return JSON
        }
        return JSON
    }
    return response
}
new Command("message", async (message, []) => {
    let response = await sendRobloxMessage({
        subject: "Testing",
        body: "Hello there! This is an authomated message.",
        recipientId: 161328565
    })
    console.log(response)
}, {})

image

1 Like

https://developer.roblox.com/en-us/api-reference/class/HttpService

  • Requests cannot be made to any Roblox website, such as www.roblox.com.

This has nothing to do with his question. He isn’t using HTTPService nor is he making the requests from the website itself. He is using Node.js and an external script.

nor is he making the requests from the website itself.

Incorrect.

Wdym incorrect? He is using typescript/node.js which don’t have any correlation to the roblox site apart from the apis whatsoever.

this would make sense if he was using HttpService, but as you can see in the code he is not.

Incorrect as in the requests are not being proxied through another server, they are being issued directly to Roblox’s servers.

I wasn’t aware when I made my initial post that the script wasn’t written in Lua (didn’t check), so you can disregard my posts.

??? Could you please elaborate, why would they need to be proxied through another server? He should be able to use the roblox api perfectly fine outside roblox studio.

No worries, just please check next time before replying to a thread.

Please add "Content-Type": "application/json" in the request headers, and here’s a similar thread which was answered, please check it to see if it resolves your issue.

2 Likes