FAQS:
When did this change go live?
This change went live on April 2, 2025. Any request to an AssetDelivery endpoint without authentication now returns a 401 Unauthorized error.
> curl https://assetdelivery.roblox.com/v1/asset/?id=xxxxxxxxxx
{"errors":[{"code":0,"message":"Authentication required to access Asset."}]}
Does this affect experiences or Studio plug-ins using engine APIs such as InsertService?
No. Those APIs continue to work exactly as before.
Some asset requests still seem to work without authentication - why?
To ease the transition, we temporarily exempted some asset IDs to be fetched without authentication. We will shrink this exception list over time, so we strongly recommend moving to authenticated requests as soon as possible.
Does this change block access to public or free assets?
No. Logged-in users can still access public and free assets, and inserting assets in-game or in Studio behaves exactly the same.
I’m using a web proxy to get image IDs from Decals and it no longer works. What should I do?
Good news: you can now fetch Decals you do not own directly from in-game code by using InsertService. See the announcement here: link
If you need to read assets outside the engine - for example from a custom tool - see the next question.
My proxy or tool can’t fetch assets anymore. What should I do?
We have released two new OpenCloud endpoints for fetching assets. Documentation is available here : docs. These endpoints are on apis.roblox.com, not assetdelivery.roblox.com.
The quickest fix is to pass an api key with each request to these new endpoints. An api key created for any user is sufficient if you only need publicly-available assets. Be aware, however, that heavy use could throttle requests for that user.
Here’s an example curl command and output (with the api key removed).
> curl https://apis.roblox.com/asset-delivery-api/v1/assetId/1818 -H "x-api-key: $apikey"
{"location":"https://sc2.rbxcdn.com/3531bd1e0747fccbf5df1aea7e3fc903?__token__=exp=1746044686~acl=/3531bd1e0747fccbf5df1aea7e3fc903*~hmac=aff1f6ba8f5a8daae71eeee80899a82fe0b1afa1c1a123fc18bd6445546a0d8e&Expires=1746044686&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9zYzIucmJ4Y2RuLmNvbS8zNTMxYmQxZTA3NDdmY2NiZjVkZjFhZWE3ZTNmYzkwMyoiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3NDYwNDQ2ODZ9fX1dfQ__&Signature=kUohXX01Gcn2RfY4jNp0aEAp09e8LX+/6wqHksvSE1ibkipVhJA6SwgxhUudAFfiuPLGFdpRb3E243R9zXpjNZWoekl6aW/0DTBnrVKTGBkfaMaB6PnraIX4Po7TeZnM3qZ+J3/Zy4wWJf266Lk9M1FUBpAuouwe67bPKEX+rIcxK0lBSeZXcvQGhmYbWQTZKaEEhis9EONkh8hLLhgM+X2wl9cd6ICIYqg+C40elgp3ke6BGiP4kMSFuvoIWTdOjTUG8E9Hokki4NFHxBqhV6CTAF0Cw6gDnJYXR2G9KDOF38+Hb0BSEFfSPTqeTRmqj7kQWcP3ZAmVnHx2Z+JXJg==&Key-Pair-Id=K1NHM9527CRDAW","requestId":"638814685640776121","IsHashDynamic":true,"IsCopyrightProtected":false,"isArchived":false,"assetTypeId":9}
Note that these endpoints return back a JSON payload with the URL for the asset content in the “location” field. Your application will need to make another http request to the “location” URL to download the asset content.
I want to use the new OpenCloud AssetDelivery endpoints to fetch my group’s private assets, but the legacy-asset API system is not selectable. What should I do?
The error message you see when trying to select the legacy-asset API system is “Legacy APIs with community API keys are currently not supported”.
At the moment, the new endpoints accept API keys created for individual users only, not a group. We are aware of this issue and we’re working towards a better experience for groups and legacy APIs. The current workaround is to create an API key for a user who is a member of the group and is in a role with permissions to download assets. The particular group permissions can be added on the website Group configure page:
- Configure avatar items - for avatar items, like body parts and clothing
- Create and edit community experiences - for places and game development assets
Sending up that user’s API key with your requests to the new OpenCloud endpoints will allow you to fetch the group’s assets.
Will there be a batch asset request endpoint?
We are happy to add this if creators want it! Please let us know you’re interested. Note that this would respect the same per-asset rate limits as single fetch requests though.