You can use it for third parties for example you can create a server and a python program then you can send thru the python program commands to the server and the server to your game, useful for ban systems etc.
This tutorial isn’t half-bad as people are making it out to be, but the X-CSRF-TOKEN expires as stated earlier – so this method does work technically but it will just end up failing because the token changes every so often (if I remember correctly)
You should add a method on how to keep the token up to date to this post.
For those who don’t know, the X-CSRF-TOKEN can be used to make API calls using Roblox’s API endpoints, for example:
With your ROLOSECURITY and X-CSRF-TOKEN you can make API calls to https://avatar.roblox.com and have your avatar update from a third party application. It’s not useless and I’ve had my fun making silly things with it.
It’s actually much more than just that. Most POST requests require an x-csrf-token, regardless of how sensitive the data is / whether the endpoint even requires .ROBLOSECURITY. While there are some valid use-cases for this, you shouldn’t ever be fetching this value manually and should rely on your own code to do so. Please also be weary that some of these POST endpoints are somewhat ‘nuclear’; they provide no ‘undo button’ and can remove a lot on your account if you allow arbitrary programs to run them. An important note is that GET requests do not need this token, so if a program requires this token, it is planning on changing something on your account, not just reading data (except in some really specific cases in-where endpoints have been miscategoried, but that is besides the point).
No offence, but if someone isn’t aware of what an x-csrf-token even is; they probably shouldn’t be using it. Endpoints can be dangerous if used incorrectly, and you shouldn’t be inputting this into an external party’s code (which I assume many confused users would be possibly doing). I understand the use-cases for those who understand exactly what they are doing (and if you do, go ahead and use this token), but I also almost feel guilty not giving this warning to those who may not know what they are doing, and end up losing everything.
If you don’t understand the use for this, don’t put people down because of your ignorance, thanks. Seeing a pattern with you.
IIRC this value is useful for on-page extensions piggybacking off of roblox’s endpoints. Several require this value which is obtained through a sort of simple handshake while logged in and/or is available in the DOM, I don’t remember exactly.