Change users avatar colors using the roblox web api (python)

my goal is to make a python program that will overwrite players avatar from a table (which contains body colors, applied accessories), i am not very experienced when it comes to http stuff

i am wondering if theres any way to achieve that result with account cookies

current code:

import requests

cookie = '_|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_0'

session = requests.Session()
session.cookies['.ROBLOSECURITY'] = cookie

# check the user, and it returns the correct account
resp = session.get(
      url='https://users.roblox.com/v1/users/authenticated'
)
print(resp.json())

# here it returns code 403
resp = session.post(
      url = 'https://avatar.roblox.com/v1/avatar/set-body-colors',
      data = {
            'bodyColorsModel' : {
                  "headColorId": 24,
                  "torsoColorId": 24,
                  "rightArmColorId": 24,
                  "leftArmColorId": 24,
                  "rightLegColorId": 24,
                  "leftLegColorId": 24
            }
      },
)
print(resp.status_code)
1 Like

I know this is a late response, but I was hoping to help if this was not resolved. Either way, I am hoping this helps anyone who encounters this issue.

I’ve made something similar in PHP two years ago, but I am sure it would work similarly. I had to update the avatar clothing/accessories separately from body colors. The same strategy can be applied for most of the other avatar related requests.

From my experience, the error 403 (Token Validation Failed) you are facing is not due to failed validation with the token, but for a different reason. If you disinclude the cookie, you will receive a 401 (Unauthorized) instead. The reasoning for this is because Roblox is not referring to the authentication token, but rather something called an x-csrf-token. This is provided in the response headers from the 403 .

Indexing the headers to get the token is easy: resp.headers[‘x-csrf-token’]. Assigning this to the session headers and performing the request once more will give you the result you want.

Additionally, bodyColorsModel is not necessary in the data and it should just be the keys-values directly.

A completed version of what you are asking for can be found below. Using the token in cookies will hopefully get this working. This has been tested on Python 3.6, but it should work on other versions.

import requests

cookie = ""

session = requests.Session()
session.cookies['.ROBLOSECURITY'] = cookie

# check the user, and it returns the correct account
resp = session.get(
      url='https://users.roblox.com/v1/users/authenticated'
)

def change_body_colors(body_color_data=None):
    resp = session.post(
      url = 'https://avatar.roblox.com/v1/avatar/set-body-colors',
      data = body_color_data
    )
    return resp

body_color_data = {
    "headColorId": 24,
    "torsoColorId": 24,
    "rightArmColorId": 24,
    "leftArmColorId": 24,
    "rightLegColorId": 24,
    "leftLegColorId": 24
}


# Make initial request (No need to include updated data as this is only to receive a x-csrf-token)
resp = change_body_colors()

# If status code is 403, proceed.
if resp.status_code == 403:

    # Fetch x-csrf-token from headers
    x_csrf_token = resp.headers['x-csrf-token']
    # Add x-csrf-token to session headers
    session.headers['x-csrf-token'] = x_csrf_token

    # Send request again with 
    resp = change_body_colors(body_color_data)
    
    # Check request status
    if resp.ok:
        print("Updated body colors successfully.")
    else:
        print("Failed to update body colors.")
else:
    print("Failed to make initial request.")

I am unsure if this is the best way to go about it, but it is the one that worked for me.

If any assistance is needed please let me know! :>