Quick update: patching avatar outfits is now shipped as Medium rather than High level, thanks for the feedback again.
3 Likes
Thanks, looks like all of the other POST/PATCH avatar endpoints are now medium level as well (besides delete outfit, which is ok)
3 Likes
Curious on the following endpoints being documented as well.
- https://groups.roblox.com/v1/groups/${GroupId}/bans
- https://groups.roblox.com/v1/groups/${GroupId}/bans/${UserId}
- https://groups.roblox.com/v1/groups/${GroupId}/bans/${UserId}
I currently do some hacky stuff to get around these not being documented, on top of not being part of major modules like Noblox.js
Details
import fetch from "node-fetch"
import * as dotenv from "dotenv"
import * as fs from "fs"
dotenv.config()
const cookie = process.env.RBX_COOKIE
let xCsrfToken = ""
/*
Specifics to post url for banning
var GET_URL = `https://groups.roblox.com/v1/groups/${GroupId}/bans`
var POST_URL =`https://groups.roblox.com/v1/groups/${GroupId}/bans/${UserId}`
var DELETE_URL =`https://groups.roblox.com/v1/groups/${GroupId}/bans/${UserId}`
*/
const rbxRequest = async (verb, url, body) => {
const response = await fetch(url, {
headers: {
Cookie: `.ROBLOSECURITY=${cookie}`,
"x-csrf-token": xCsrfToken,
"Content-Length": body?.length.toString() || "0"
},
method: "POST",
body: body || ""
})
if (response.status == 403) {
if (response.headers.has("x-csrf-token")) {
xCsrfToken = response.headers.get("x-csrf-token")
return rbxRequest(verb, url, body)
}
}
return response
}
const response = await rbxRequest("POST", "https://auth.roblox.com/v2/session/refresh")
console.log(response.status)
const banresponse = await rbxRequest("POST", POST_URL)
console.log(response.status)
This is a pretty important documentation point that is yet to be put into the bans or groups docs, so wanted to point that out to hopefully get it pushed through as well.
Overall good update, and excited to see all the undocumented apis.roblox.com points come together under this system, too.
2 Likes
Thanks for letting me know about this, there was some code in place to withhold documentation for these endpoints as they were still being developed by the internal team that owns these. I checked and we’re ready to push these to the documentation now, so you’ll see those pop up soon.
3 Likes
In this page nothing is linking someone to the “Try It Out” feature, I think. 
Hey, yes this is a future work:
2 Likes
Hey everyone, thanks for all of the valuable feedback since launch! After review, we have decided to update some of the behavior for “Try It Out”:
- You can now use try it out while logged out. You just won’t be able to select “Cookie” authentication for requests @kingerman88 @Beloathed
- You can now select “Cookie” authentication for high risk endpoints. There is a second warning that pops up right before you send your first high risk endpoint request. This only shows once per session (i.e. after accepting the warning once on a high risk endpoint, no other high risk endpoint on the page will show that warning until you refresh/leave the page) @pyxfluff @xyrafrost @Exozorcus @Bestspyboy
We hope this improves your user experience!
6 Likes