Can't get x-srf-token for Python ranking bot because I am not authorized

Hello, I am trying to make a Python bot to rank players on Roblox. I am trying to access the x-srf-token by using the https://auth.roblox.com/v2/logout endpoint, but I am not authorized to access it despite sending my .ROBLOSECURITY cookie.

Other answers suggest that the v2/logout should be successful in returning the x-srf-token (Getting the X-CSRF token from roblox - #3 by Thezi and How to use Headers with RBLX Web Api - #2 by spliceosome), but I have not been able to get my bot to work with the endpoint.

Here is my Python code:

authurl = "https://auth.roblox.com/v2/logout"
cookie = "mycookie"
def getXsrf():
    xsrfRequest = requests.post(authurl, cookies={
        '.ROBLOSECURITY': cookie
    })
    print(xsrfRequest.text)

getXsrf()

The response:

{"errors":[{"code":0,"message":"Authorization has been denied for this request."}]}

Any help would be appreciated!

3 Likes

Just a shot in the dark but make sure you have a ; at the end of your cookie. I was making something similar and was stuck for a long time until I figured out you need a ; at the end of every cookie in your cookie list, even if it is just one cookie.

Might also be ".ROBLOSECURITY=" : cookie

1 Like

you aren’t doing this correctly, the x-csrf-token is located on the response headers
fixed code:

authurl = "https://auth.roblox.com/v2/logout"
cookie = "mycookie"
def getXsrf():
    xsrfRequest = requests.post(authurl, cookies={
        '.ROBLOSECURITY': cookie
    })
    print(xsrfRequest.headers["x-csrf-token"])

getXsrf()

edit: it works
image

4 Likes

I don’t know anything about x-csrf-tokens, but I’m pretty sure you shouldn’t just share your x-csrf-token with other people…

1 Like

i did it on a alt that i dont really care about

1 Like

It changes on a frequent basis, it seems. You can access your own x-csrf token through the home page using Inspect Element. I did this and discovered that today my token is different than it was yesterday.

1 Like

It changes every 30 minutes I think

2 Likes

You need to call the roblox website then split where the SetToken field is. Example:
requests.cookies[‘.ROBLOSECURITY’] = cookie
xcsrf = session.get(‘http://www.roblox.com/‘).text.split("Roblox.XsrfToken.setToken(’“)[1].split(”’);")[0]

1 Like

Strangely, my headers do not include a x-srf-token key. Is it possible that my cookie is invalid? I can’t see how it is due to the fact that I’m directly copying and pasting from my browser’s .ROBLOSECURITY cookie.

Anyway, here are the headers I receive:
https://gyazo.com/197e1c8652976997729308c93f19e32d

1 Like

It turns out I wasn’t selecting the entire cookie. I was only selecting the portion after the underscore.

1 Like

It wouldn’t be throwing a 401 only if your cookie wasn’t invalid, the cookie is the problem

2 Likes

Firstly, it returns “Token authorization failed” when there is no X-CSRF-TOKEN and “Authorization has been denied” when the cookie is invalid.

In order to get the x-csrf-token, you need to specify a valid cookie when requesting to https://auth.roblox.com/v2/logout. It will throw token authorization failed, but in the response headers, you would get a header called “x-csrf-token”. When specifying this header for requesting, it’s in all caps. So, you take the “x-csrf-token”, store it in a variable and specify it whenever you request to an endpoint that requires authentication with the name “X-CSRF-TOKEN”.

In order to fix Authorization has been denied, you should generate a new cookie by logging out and logging in again. Make sure to copy the ENTIRE cookie, including the “DO NOT SHARE THIS WITH ANYONE” part.

2 Likes

Also, remember that your cookie will expire every time you log out. This includes logging out from the website. Use incognito to log into the account, and then don’t click logout or you will invalidate the cookie.

2 Likes

Yep, cookies invalidate themselves every so months, so you should occassionally refresh them. There are endpoints (internal though!) available that allow you to reauthenticate and get a new cookie without manually retrieving one, you can refer to Noblox’s source on guidance or even Bloxy’s. I’m not sure if any Python library (for Roblox) has a reauthentication method, but in case any one of them does, you can use them as well in case you aren’t going to go the barebone’s way.

2 Likes