Automatically get the X-CSRF-TOKEN [NODE.JS]

I use node.js and I need to auto-fetch the X-CSRF-TOKEN

I am also using noblox.js, but since it uses the endpoint (?),
it will logout and refresh the .ROBLOSECURITY Cookie, which breaks the code and becomes very very very time consuming.

How can I avoid that?


I believe you need to turn this off:

Which can be found in: Only turn this off on an alt account, as it CANNOT be turned back on. (For some god forsaken reason).

This is just due to the fact that IP changes invalidate cookies. So you should be able to get your X-CSRF-Token after this setting is off.

Uhm, nope! This doesn’t change anything at all

Can I see your code? Without the cookie of course.

module.exports = async function (cookie) {
    if (!cookie) throw new Error('Cookie not provided');
    const endpoint = ``;
    const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
            cookie: `.ROBLOSECURITY=${cookie}`

    return response.headers.get('x-csrf-token');

:warning: This does fetch the X-CSRF-TOKEN for the first time, but then the Cookie expires because it logged you out actually.

Or maybe we don’t need a X-CSRF-TOKEN anymore? Don’t think so, but X-CSRF-TOKEN is for confirming actions and stuff, because there is no token in the request, it shouldnt actually log you out.

So something seems off

You do not want to be sending your ROBLOSECURITY through roproxy. That means the owner of that website could very easily log your cookie and steal your account.

I do not understand your initial question though. You are logged out through the logout endpoint and then when you re-login it’s not setting the X-CSRF-TOKEN?


It also explains why he’s being logged out, and roproxy is a different IP address than the login. As long as he’s using an independent program, he should just be using the auth endpoint directly.

1 Like might just ratelimit me

I have a very hard time believing that. You should only be fetching the X-CSRF-Token every 20 minutes as it expires every 30 minutes.

Even if you’re doing 25 requests a minute, that still wouldn’t really be enough to kick off any red flags.

1 Like

hm, you might be right, let me just do some stuff rq

Pretty sure RoProxy returns an x-csrf-token in the headers of it’s response that you need to send BACK to it as a header in any further requests to make use of it. May be wrong though

Either way, try using Roblox APIs directly if you can, following what @benpinpop said

Edit: ignore this, i fixed this already, just forgot to await the token request

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.