Auto promotion bot for groups

I understand this is not Lua related, but I’ll give it a shot.

With the new captcha being added, is there any convenient way to make an auto promotion bot for groups? I’ve been trying to find a solution to this for days, without luck. The old one I used is obviously not working anymore, which has led to some small problems within a group I run.


What is your bot doing? It seems to me that is what Roblox was trying to prevent. It is very common to websites to try to prevent favorites, comments, and reviews made by bots so they accurately represent user opinions.

1 Like

Well, Roblox has been patching the packages that is needed to get into the ranking process and login. So, there is really no point because most packages will fail soon enough.

Even if you were to get the bot to respond or anything of that sort, you would see in the log that is fails to log into the needed recourse to be able to promote them.


It’d need to promote certain players after triggering certain events.
Let’s say you want a player to get to the next rank after being x servers in a certain game etc.

It’s often times used for larger groups, and even for the official devforum group until the new captcha arrived. (noting malicious in other words :stuck_out_tongue:)


I understand Roblox not wanting bots that can harm games (liking, favoriting, etc) but why block a useful system that many groups including my own rely on? There’s really not much harm you can do with a join acceptance bot or promotion bot. For example, they sort’ve messed up the DevForums group because the bot that accepts them is broken due to the captcha.


Outside of the known groups API I don’t think there is much you can do if these have a captcha over it.

I have not checked these API’s but if anyone is willing to try them out they can.

Me and my friend checked it out earlier. Nothing helpful can be done with the API, unfortunately :roll_eyes: .

1 Like

Not sure if your bot uses javascript but heres a thread that can bypass the captcha.

(The first part of the thread explains on how to use cookies to login)


Yes, it is a valuable recourse. But, Roblox is seeing it another way. I used to use them myself and used to make them, but since the captcha, they are broke.

There are things that is a security and community risk as to leaving bots able to rank people. A person could very much so, go rouge and demote all the people. There are many things that you can do with a promotion bot. (Even a roblox bot in general.)

You can kick members from the clan, kick members from a group, pay people, view audit logs, etc. There are some pro’s and con’s to the captcha.

In my opinion, I think there should be a lift on the needed resources to have the bot login to roblox to be able to promote, demote, fire, etc. in group.

I personally feel that Roblox should somehow make an in-game API that allows us to promote or control a pending join request. I’m not sure how it’d work, but there are some pretty bright people who I think they could probably figure it out.


I’d recommend getting a suggestion noticed, if one doesn’t already exist then make one, to express the concern that Roblox should work on bot accounts which are specialized for this use case.

Something I don’t quite understand though is that they release all of their API but then say “go away” to bots?

1 Like

I do think this a good idea, there are some ways on roblox to promote users ingame, but I have not really explored them.

I did find this thread, that might be useful.

I am the current maintainer of noblox.js so this is biased.

There are Node.js wrappers for Roblox’s API (noblox.js) that could be of use to you. It bypasses the current captcha by using your .ROBLOSECURITY cookie however it’s really inefficient. You should give it a shot. You may want to check out the noblox.js-server if you were using Froast’s roblox-js-server which broke with Roblox’s updates.

1 Like

We demand OAuth2.

Waits for post to be removed.


Roblox can’t really add something that filters the good bots from the bad bots. Though I agree that there should be a Promotion and Demotion API, a con with adding that would be that developers that have access to editting the group game(s) could easily abuse it and possibly promote/demote people very easily.

1 Like

As @InhxIed said, it’d be too easy to abuse since group edit permissions aren’t the same as group change role permissions - this could be very dangerous.

The difference between good bots and bad bots really only differs in two ways - volume, and context. And since you can’t (computationally) establish the context of actions that a bot is taking (grumble grumble someone will talk about machine learning) the only real ways, other than blocking all user-replicating bots would be establishing a system similar to Discord of permitted bot users (unlikely to happen) which have limits (i.e. no commenting, liking, visiting and volume joins etc.), or blocking volume requests (which has proven ineffective in the past - Roblox has had a captcha when it detected bulk signups from the same IP for some years now).

tl;dr - It’s a challenge to do this right. And frankly, the edge case that is promotion bots isn’t enough to justify keeping the serious malicious bot problem that has effectively wrecked the catalog and group systems.


Enter stage right reCAPTCHA (Computer Automated Public Turing test to tell Computers and Humans Apart) version 3. Version 1 was the prompt to type in the words you see, version 2 was the peculiar “I’m not a robot” checkbox and possible picture challenges, while version 3 is completely invisible, and usually runs on more than just couple protected pages. With the addition of “actions” (think visit page, click button, login), Google says that web hosts gain this advantage: “adaptive risk analysis based on the context of the action (abusive behavior can vary)”. How is this done? Machine learning black magic (or, you know, standard clustering techniques).

If Roblox were to implement this, then it doesn’t matter if a human filled out a CAPTCHA test for a bot. The bots activities should be anomalous in some way from good behavior and flagged. The issues are user privacy, enabling this for millions of concurrent users at peeks, and possibly customizing the solution (AFAIK, Google doesn’t allow developers to label bad and good interactions. In my mind, it would be easier to provide an API for good interactions rather than try to distinguish between good and bad bots.

1 Like

Unfortunately you can’t add reCaptcha or any Captcha solution to API endpoints - and passively, the new invisible captcha released by Google is both intrusive (would you, as Roblox, give any company access to all the actions and data your users provide? I agree with your privacy point) and causes false flags which eventually would really tear into users. reCaptcha is effective but I have had many occasions personally where I have been bombarded by the most annoying and pointless solves over and over because it keeps false flagging me.

As I said before - adding a “bot” account system which would allow access to certain API endpoints like Discord would probably be a fit-all solution to this bot exodus we’re experiencing.

1 Like