This will impact creators making calls without authentication to asset delivery
Impacted creators need to add authentication to all requests to asset delivery by April 2, 2025
If you do not update, calls will start being rejected with a 403
This tight timeline is necessary to ensure the security of creator content on Roblox
We appreciate your understanding and help with this change – please find more detailed information below.
Transition Details
These endpoints currently allow unauthenticated access to many assets. We’re making this change to enhance security and prevent abuse of creators’ content, including unauthorized content scraping. This update will allow us to protect your content better and provide a more secure platform.
If you are using these endpoints without authentication, you must begin sending authentication with your requests. We recommend switching to the new authenticated endpoints for your asset fetching needs:
These new endpoints support scoped API key and OAuth 2.0 authentication with the legacy-asset:manage scope.
Impact & Feedback
We expect this release to impact browser plugins, but we do not expect it to change behavior in experiences or in Studio. Please comment below to let us know the details of any use cases you have which cannot be satisfied by the new endpoints.
Please comment and let us know if you have any concerns.
We appreciate your help with this change and thank you for your support,
Roblox Core Services Team
Finding assets that use assetdelivery is pretty painful, authentification too, and April 2nd isn’t a very large deadline.
Do you plan anything to make the transition simpler with a tool like the one with audios? I’d like to do it in my games incase they do risk, but I don’t really know how to proceed efficiently.
A smooth transition is also safer to ensure every games will work correctly. I understand your worries about security, but I don’t want to see my games non-working or buggy due to such a move…
What does “authentication” mean here? Does that mean I just need to be logged in, or do I need to be logged in as the creator of the asset, or something else? I frequently use assetdelivery for quickly downloading assets through my browser and I’m not familiar with open-cloud stuff, so this is a little confusing to me.
EDIT: I should have read the announcement closer. Will try using the authenticated endpoints with an open cloud key
What’s our alternative for getting an image from a decal now (public or not)? I know about InsertService being modified to allow public Decals but this isn’t a complete replacement.
In Heroes Battlegrounds, we allow people to put decal IDs on their cape as a VIP perk. Since there’s a lot of people who don’t know the difference between an image ID and a decal ID, we have a fallback set up where decal IDs are turned into image IDs using assetdelivery.
If it’s through the browser you’re most likely authenticated automatically if logged-in. My guess is you’ll still be able to go to library to download the preview image of your assets.
We’ll have to see though…
1 weeks notice is not realistic; which, really if you live anywhere east of the US and work weekdays only because you set yourself healthy boundaries between work and personal life, it’s actually 5 days since everybody is signed off.
But there isn’t a specific time given on April 2nd, so I would also have to assume it’s an automated switch at 12am, meaning that for all we know there’s 4 days left.
The way this platform pushes changes is why I feel like I need to take my laptop on vacation with me so that I have the ability to fix anything immediate, announced or unannounced, intentional or unintentional.
you know you have screwed up as a platform when a very famous dev calls yall out for giving no notice for one of those “creator action required” updates(which is understandable)
i still need some explanation whether or not this update will end up breaking everything in existance or not tho
You did not spend much time writing this change, or you forgot to peer review it with another intern just to double check whether or not you’re getting your message across properly.
These changes will break my games, but I think we all know that’s not priority over there, given the short deadline you’ve handed to us.
You are doing this to impose future restrictions on developers. This is obvious. There is no use case for such a bizarre change.
A smooth transition is also safer to ensure every games will work correctly. I understand your worries about security, but I don’t want to see my games non-working or buggy due to such a move…
This won’t break any experiences. All gameplay and studio usage is done while authenticated. This would mainly affect any creators making calls to asset delivery outside of experiences (like from a browser extension, or script)
A smooth transition is also safer to ensure every games will work correctly.
Definitely - in this case your experiences are safe - this feedback is being shared with the team. We appreciate your understanding.