I’m Qxest and I maintain the noblox.js API wrapper that users use to interact with Roblox’s API. This is not the only API wrapper out there but it is one of the most frequently used API wrappers for Roblox.
Major Problems
As a Roblox developer, it is currently too hard to use Roblox’s API without using some kind of API wrapper. API wrapper developers face the problem of running into the X-CSRF-TOKEN problem. The problem we have with X-CSRF-TOKENs is that they’re required in almost every request we send to Roblox’s website (list of endpoints from a https://sitename.roblox.com/docs website that use CSRF token listed at bottom), like the shout endpoint, and that it refreshes in an unpredictable manner. You can’t get an X-CSRF-TOKEN without a dirty hack that involves sending a request to some endpoint like logout (despite not being logged in) and getting the X-CSRF-TOKEN from the header on the error response you get back.
Endpoints that use CSRF token
https://hastebin.com/jakenequya.txt
Thank you Gamenew09 for helping me compile this list.
Just recently, Roblox released an update that placed a Funcaptcha (turn this duck right side up-type captcha) on certain pages preventing many bots from logging in. This stopped the spam bots, but it did also take down bots and web APIs that logged in and used Roblox’s API for non-malicious reasons including ClanLabs (group management system used by many clans including FEAR) and the bot that accepts players into the DevForum group on Roblox. As Roblox continues to release new updates that are meant to counter malign bots, legitimate bots are disrupted in the process and so Roblox should release an ecosystem empowering users to create good bots while at the same time preventing bots from abusing the API.
What if the user wants to use a bot with their account? Right now when logging in and you use a captcha solving service, you put in your username and password which grants full access to your account rather than select permissions. You can’t tell the API wrapper what permissions you (don’t) want it to have access to which poses as a security risk.
Proposed Solution
I propose that Roblox implements a developer token system. A developer token system would allow users to interact with Roblox’s API without facing all of the above problems. Verified Roblox users (verified email on account, probably 13+) would have access to a page in My Settings that would allow them to generate an API access key. Limiting this to verified Roblox users would help on eliminating bots created by amateurs for mischievous purposes and an age limit would help prevent unsuspecting children from creating a token without understanding the dangers of making them. How do you reduce the number of bots generating these keys and continue users to create legit bots? Implement a captcha here. Because the user would rarely be making these developer tokens, a captcha would make sense because it would help eliminate bots from creating a bunch of developer tokens and would be as little of a hassle to the user as possible. These API access keys would be similar to how Discord allows users to create bots and receive a token which they can use to interact with the API.
By enforcing rate limits, Roblox can also attack the bot problem using these developer tokens. Discord has rate limits on their API and when you do something dumb like send a bunch of POST requests to one endpoint, you get rate limited. What if you hit the rate limit way too often? You get banned (and possibly other accounts that have been used on your IP address though this may not do much good).
With developer tokens, Roblox can implement a permission system which allows the API to access certain endpoints and restrict access to others. Maybe a user wants the bot on their account to only rank users and not be able to spend Robux on the end-user’s account.
Sample Usage
- User signs up for Roblox (or uses an existing account)
- Verify account if they need to
- Goes to Developer Tokens page
- Creates new Token and selects permissions it wants the token to grant
- Places Token in API wrapper or sends it with requests to Roblox API
TL;DR
Implement developer tokens so we don’t have to send X-CSRF-TOKEN and .ROBLOSECURITY cookie with every request sent to Roblox API.