How to use Headers with RBLX Web Api

Recently, I have been trying to make an http request to the Roblox api endpoints but I am struggling to use the proper authentication. This is my current Deno (js) code.

  const response = await fetch(``,
headers: {

This code snippet returns the same error if I were to put .ROBLOSECURITY as .RBLXSECURITY. It returns the same error of

{"errors":[{"code":0,"message":"Authorization has been denied for this request."}]}

Any help with this issue would be much appreciated.

1 Like

You’ll need to add a x-csrf-token header. The only way to get this (AFAIK) is by sending a request to a roblox API right before you want to send your actual request, and get the token from there. Then you can send your real request with the token and the cookie.

For example this is what my function looks like in nodejs for sending an authenticated request:

  async sendAuthenticatedRobloxRequest(url, options, sendRobloxToken) {
    if (!options) {
      options = { headers: {} };
    } else if (!options.headers) {
      options.headers = {};
    options.headers.cookie = this.config.robloxCookie;
    if (sendRobloxToken) {
      const response = await fetch('', {
        method: 'post',
        headers: { cookie: this.config.robloxCookie },

      options.headers['x-csrf-token'] = response.headers.get('x-csrf-token');
    return fetch(url, options);

(I don’t know if, when sending the request above to get the token, whether or not you actually need to include your cookie for that one too).

Hopefully you get the idea. I can’t remember how I figured this out (no experience in web stuff), but it involved playing around a bit with Postman trying to get authentication to work. I’ve since discovered that Noblox has a more proper implementation of the same thing:

Hopefully someone who knows what they’re doing can answer better!


The header worked after I reset the ROBLOSECURITY key value pair by signing out of all other devices. This is still very useful information, thank you.

Also, I’m not sure if this is completely right, but it seems that no blox sends something akin to a heartbeat as you would find with a web socket connection. I’m assuming this is because roblox resets the authentication after a day which is why they have this:

setInterval(relog, day) // day is 24 hours in milliseconds