Getting Secret in Studio triggers error: Header "..." has unallowed character

aaron_mccoy · November 10, 2024, 10:47pm

When trying to get your secrets in Studio for testing (in team create), this error always pops up.

But this error will not pop up in a live game, it will work totally fine.

Here’s how I’m getting the secret:

local Secret = HttpService:GetSecret("SecretName")
local s, e = pcall(function()
	HttpService:PostAsync(URLHERE, HttpService:JSONEncode(SENDDATA), Enum.HttpContentType.ApplicationJson, false, {
		["accept"] = "application/json",
		["authorization"] = Secret ,
	})
end)
if not s then warn(e) end

My Secrets in my game settings looks like this
{"SecretName": ["SecretValueHere", "*.on.aws"]}

Link to other dev having the issue:

zipcatmax · November 11, 2024, 6:51pm

Most likely it’s happening due to SecretValueHere missing base64 encoding. It looks like documentation doesn’t make it clear that SecretValueHere should be base64 encoded. So, for example, if your secret value is “mySuperSecret”, the JSON should be this:

{"SecretName": ["bXlTdXBlclNlY3JldA==", "*.on.aws"]}

I will update the documentation with an example clarifying how to use locally defined secrets.

aaron_mccoy · November 11, 2024, 8:36pm

My SecretValue is base64 encoded. I generated using a UUID generator so it effectively looks like this format:

9e755373-cf03-4b4a-8d50-a0f2cfdd7e1a

I also tried without hyphens and it also did not work

Quenty · November 11, 2024, 9:31pm

Can we maybe also not have to Base64 encode the secrets? I think this is painful UX. Happy to file a feature request if that would help.

boatbomber · November 11, 2024, 9:48pm

This is extremely painful UX- couldn’t studio just b64 encode the content as it reads it from the json?

zipcatmax · November 11, 2024, 10:05pm

Secrets are not limited to (textual) API keys, and technically may contain binary values (e.g. ECDSA private key, or DER-encoded private key for mTLS). I didn’t expect this feature to be so popular, hence didn’t account for a proper UX. Otherwise, it should be turned into a 3-column table, with Add/Remove buttons.

zipcatmax · November 12, 2024, 2:22am

To ensure I understand: are you running “Team Test”? This implies using production secret, the one submitted through Creator Hub (local secret isn’t used).

If you’re running it locally (F5 in Studio), then locally-defined secret is used. I tried your example, 9e755373-cf03-4b4a-8d50-a0f2cfdd7e1a, which resulted in this JSON:

{"secret": ["OWU3NTUzNzMtY2YwMy00YjRhLThkNTAtYTBmMmNmZGQ3ZTFh", "*.com"]}

It works perfectly fine for me. Would you mind providing an example of some base64 encoded secret value that triggers the error? Or, could you try decoding it (e.g. here: https://www.base64decode.org/ ) and check if it decodes to the original value?

Extra note, HTTP headers allow only a subset of ASCII characters (see what characters are allowed in HTTP header values? - Stack Overflow).

aaron_mccoy · November 12, 2024, 6:18pm

It looks like the issue is that secret key written in game settings must be the base64 encoded from you’re secret key like in your example

I honestly messed up and somehow didn’t parse the entirety of your original message. I’m sorry about that.

zipcatmax · November 12, 2024, 10:27pm

Thanks for the update! It’s just as well my fault to forget the documentation updates. It is done now, I hope that official documentation helps: Game Settings | Documentation - Roblox Creator Hub

I also agree that Studio UX should be improved, but won’t promise I will get to work on it anytime soon.