Here is a basic tutorial how you can get your X-Csrf.Token.
1. Go on Roblox
2. Right Click and click “Inspect element” and go on the “Network” tab or press ctrl + shift + I
3. Reload the Page (F5)
4. Filter or find “get-profiles” and click on it (any)
5. Something should pop-up and scroll it down at the bottom should be your X-Csrf-Token.
I don’t find any use cases for an X-CSRF-TOKEN
Why did you make this? Who cares about that value?
You can use it for third parties for example you can create a server and a python program then you can send thru the python program commands to the server and the server to your game, useful for ban systems etc.
I do,
I use it for my game to handle data.
I’m pretty sure DataStoreService already does a good job on handling data
No, for external games (outside of that place) that I make I use that too.
I’m pretty sure CSRF Token expires pretty quickly, so that wouldn’t work.
ROBLOSECURITY wasn’t good enough or something?
This tutorial isn’t half-bad as people are making it out to be, but the X-CSRF-TOKEN expires as stated earlier – so this method does work technically but it will just end up failing because the token changes every so often (if I remember correctly)
You should add a method on how to keep the token up to date to this post.
For those who don’t know, the X-CSRF-TOKEN can be used to make API calls using Roblox’s API endpoints, for example:
With your ROLOSECURITY and X-CSRF-TOKEN you can make API calls to
https://avatar.roblox.com and have your avatar update from a third party application. It’s not useless and I’ve had my fun making silly things with it.
It’s actually much more than just that. Most POST requests require an x-csrf-token, regardless of how sensitive the data is / whether the endpoint even requires .ROBLOSECURITY. While there are some valid use-cases for this, you shouldn’t ever be fetching this value manually and should rely on your own code to do so. Please also be weary that some of these POST endpoints are somewhat ‘nuclear’; they provide no ‘undo button’ and can remove a lot on your account if you allow arbitrary programs to run them. An important note is that GET requests do not need this token, so if a program requires this token, it is planning on changing something on your account, not just reading data (except in some really specific cases in-where endpoints have been miscategoried, but that is besides the point).
No offence, but if someone isn’t aware of what an x-csrf-token even is; they probably shouldn’t be using it. Endpoints can be dangerous if used incorrectly, and you shouldn’t be inputting this into an external party’s code (which I assume many confused users would be possibly doing). I understand the use-cases for those who understand exactly what they are doing (and if you do, go ahead and use this token), but I also almost feel guilty not giving this warning to those who may not know what they are doing, and end up losing everything.
If you don’t understand the use for this, don’t put people down because of your ignorance, thanks. Seeing a pattern with you.
IIRC this value is useful for on-page extensions piggybacking off of roblox’s endpoints. Several require this value which is obtained through a sort of simple handshake while logged in and/or is available in the DOM, I don’t remember exactly.
Yeah, my bad, I should’ve provided more clarification that endpoints can be dangerous & should only be used by people who know what they are doing.
Thank you for providing more insight & the repercussions of this.
You will need both ROBLOSECURITY, and the X-Csrf. Token. I recommend you reading the other comments on this post since they are better written.
Thanks for the feedback I will post one soon on how to have one up to date.
