Generating a .ROBLOSECURITY Token Using The Quick Login API

Help and Feedback Platform Usage Support
#1

What do you want to achieve?
I want to generate a .ROBLOSECURITY token using the Quick Login API from PowerShell.

What is the issue?
I have gone through this guide: How to generate a .ROBLOSECURITY token from Quick Login, but I’m stuck on how to obtain the x-csrf-token needed for the request.

Specifically, in Powershell, when I make a POST request to https://apis.roblox.com/auth-token-service/v1/login/status using:

$response = Invoke-RestMethod -Uri $url -Method Post -Body $body -ContentType "application/json"

I receive the following error:

Invoke-RestMethod : {"errors":[{"message":"XSRF token invalid","code":0}]}

What solutions have you tried so far?
I’ve read the tutorial linked above, but I don’t fully understand how to get the x-csrf-token from the response headers. I’ve attempted to manually inspect the request headers, but I’m still not sure how to get the token or attach it to the POST request.

If anyone has worked with the Quick Login API or knows how to get the x-csrf-token, I’d really appreciate the help!

1 Like
#2

The X-CSRF token lives in the response headers when you get this specific error.

Roblox took down the doc sites after I wrote what you linked, but just send the response again with the retrieved token.

local function jHttpRequest(req)
	if not req.headers then
		req.headers = {}
	end

	req.headers.Accept = "application/json"
	req.headers["Content-Type"] = "application/json"

	req.body = serde.encode("json", req.body)
	local res = net.request(req)

	if not res.ok then
		-- if its xcsrf, we need to handle again
		if res.headers then
			req.headers["x-csrf-token"] = res.headers["x-csrf-token"]
			res = net.request(req)
		end
	end

	if not res.ok then
		return false, {
			httpMessage = res,
			body = res.body,
			sentMessage = req.body
		}
	end

	return true, {
		httpMessage = res,
		body = serde.decode("json", res.body),
		sentMessage = req.body
	}
end

(this is for a different luau runtime but hopefully you can figure out what each bit does)

Its also worth noting that quick login does use some form of public IP check when it validates login codes, so if you’re doing this for a web server, keep that in mind.

2 Likes
#3

Thanks for replying so fast! This helps a lot. The GitHub page you linked in your original post leads to a 404 page. Is that intentional?

#4

roblox did not actually take down docs, they are still accessible via https://auth.roblox.com//docs