Getting Secret in Studio triggers error: Header "..." has unallowed character

When trying to get your secrets in Studio for testing (in team create), this error always pops up.

But this error will not pop up in a live game, it will work totally fine.

Here’s how I’m getting the secret:

local Secret = HttpService:GetSecret("SecretName")
local s, e = pcall(function()
	HttpService:PostAsync(URLHERE, HttpService:JSONEncode(SENDDATA), Enum.HttpContentType.ApplicationJson, false, {
		["accept"] = "application/json",
		["authorization"] = Secret ,
	})
end)
if not s then warn(e) end

My Secrets in my game settings looks like this
{"SecretName": ["SecretValueHere", "*.on.aws"]}

Link to other dev having the issue:

1 Like

Most likely it’s happening due to SecretValueHere missing base64 encoding. It looks like documentation doesn’t make it clear that SecretValueHere should be base64 encoded. So, for example, if your secret value is “mySuperSecret”, the JSON should be this:

{"SecretName": ["bXlTdXBlclNlY3JldA==", "*.on.aws"]}

I will update the documentation with an example clarifying how to use locally defined secrets.

2 Likes

My SecretValue is base64 encoded. I generated using a UUID generator so it effectively looks like this format:

9e755373-cf03-4b4a-8d50-a0f2cfdd7e1a

I also tried without hyphens and it also did not work

Can we maybe also not have to Base64 encode the secrets? I think this is painful UX. Happy to file a feature request if that would help.

2 Likes

This is extremely painful UX- couldn’t studio just b64 encode the content as it reads it from the json?

1 Like

Secrets are not limited to (textual) API keys, and technically may contain binary values (e.g. ECDSA private key, or DER-encoded private key for mTLS). I didn’t expect this feature to be so popular, hence didn’t account for a proper UX. Otherwise, it should be turned into a 3-column table, with Add/Remove buttons.

3 Likes

To ensure I understand: are you running “Team Test”? This implies using production secret, the one submitted through Creator Hub (local secret isn’t used).

If you’re running it locally (F5 in Studio), then locally-defined secret is used. I tried your example, 9e755373-cf03-4b4a-8d50-a0f2cfdd7e1a, which resulted in this JSON:

{"secret": ["OWU3NTUzNzMtY2YwMy00YjRhLThkNTAtYTBmMmNmZGQ3ZTFh", "*.com"]}

It works perfectly fine for me. Would you mind providing an example of some base64 encoded secret value that triggers the error? Or, could you try decoding it (e.g. here: https://www.base64decode.org/ ) and check if it decodes to the original value?

Extra note, HTTP headers allow only a subset of ASCII characters (see what characters are allowed in HTTP header values? - Stack Overflow).

It looks like the issue is that secret key written in game settings must be the base64 encoded from you’re secret key like in your example

I honestly messed up and somehow didn’t parse the entirety of your original message. I’m sorry about that.

1 Like

Thanks for the update! It’s just as well my fault to forget the documentation updates. It is done now, I hope that official documentation helps: Game Settings | Documentation - Roblox Creator Hub

I also agree that Studio UX should be improved, but won’t promise I will get to work on it anytime soon.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.