Improving Roblox's API

I’m Qxest and I maintain noblox.js (basically a continuation of roblox-js by Froast). With breaking changes constantly being released, API wrappers like these push maintainers back and sometimes eventually put us back where we started.


Roblox’s API continues to be inconsistent with their API.

Endpoint 1 puts usernames in a field called name and user IDs in a field called targetId.
Endpoint 2 puts usernames in a field called username and user IDs in a field called userId. (noted that it’s v1)
Endpoint 3 puts usernames in a field called Username and user IDs in a field called Id.

If you’ve worked with programming languages and had to transverse data in objects, you know how much consistency matters (including character cases). This problem applies across multiple endpoints that have other problems as well.

Logging In

This problem has been here for ages. Noblox.js as well as some other libraries use a dirty hack that involves sending a request to another endpoint like the logout one (despite the error recieved for trying to log out with no account signed in in the first place) and getting the X-CSRF-TOKEN on the response from the endpoint. What’s so troublesome about that? The X-CSRF-TOKEN keeps changing forcing us to make code that gets a new one if there is a new one. This along with some other things make the whole entire process frustrating.


Captchas are incredibly frustrating to work with. Captchas were implemented to prevent botting but I think we all noticed how the bots were able to get past those captchas and put things on our group walls along the lines of “I just won one billion Robux and have unlimited game passes. Go to [link] to win yours too!” .

At some point today (12/21/18), Roblox implemented an invisible captcha that was meant to, from what I’m guessing, prevent bots from logging in if they filled the username and password fields in an inhuman way (very very fast). That measure isn’t going to hold for long and it’s frustrating because there are probably hundreds, if not thousands, of people using API wrappers that log into Roblox through this method leading maintainers to submit fixes to code that was broken because Roblox couldn’t properly secure their login endpoint. I’m betting within a couple of weeks, this new measure is going to become useless.

Lack of certain endpoints

What he said.

Proposed Solutions

Implementing an OAuth System

This is long overdue and has been continuously been asked for by the community.

Some months ago, a Discord bot called RoVerify (not to be mistaken with RoVer) existed and allowed users to manage their groups by typing in a username and password. Safe right? A bit later, usernames and passwords were leaked (they weren’t hashed either). Implementing an OAuth system that specifically tells users what the application will have access to should overall make Roblox safer and reduce concerns about applications “hacking” their account and doing something with their accounts

Implementing Developer Tokens

Pairing this with the OAuth system, allowing users to generate tokens in which they can use with interacting with Roblox’s API is a lot better than having to send a .ROBLOSECURITY cookie and X-CSRF-TOKEN header in every request you send out. These developer tokens can tokens can be created by only Verified Roblox users that have been on the platform for a while to help prevent bots and bring an end to captchas.

Upgrading the API

The API is incredibly inefficient and inconsistent. Apart from knowing that a user’s username can be Username, name, and username, API wrapper developers like myself find it cumbersome knowing that the mistake I just made was because Roblox sent me a 200 OK status code with a body of:

    success: false,
    errors: "im inconsistent"

rather than an actual 503 status code telling me that the API is down.

Implementing better endpoints (less web scraping) and creating an actual list containing endpoints we could use would also be a good idea rather than this. Along with these endpoints could be a log of some sort showing changes to the website/API that would possibly break things like what happened today.

Roblox should introduce rate limits across most, if not all, endpoints to help kill shady activities. Roblox should also be smart about rate limits too; hitting the rate limit way to often should alert Roblox that something isn’t right and change the developer token on the account. If the user continues to hit the rate limits way too often, moderate them because they’re probably doing something they shouldn’t be.

Sidenote: Roblox should definitely use machine learning to learn what spam is and stop it (trained with the spam bots).


With Roblox continuing to make changes to the API that affect a lot of us, it’s getting annoying to dedicate time to releasing patches that just break again with the next breaking change rather than working on improving the API wrapper itself. Roblox can not only help us in the process of improving their API but future projects that they may have that involve the use of these API endpoints.


Fix the API by adding OAuth system, rate limits, and developer tokens. Make people happy and safer.


This topic was automatically closed after 1 minute. New replies are no longer allowed.