Thank you for your hard work and making this happen. This will help a lot of people stay safer. I’m hoping to also see some additional security measures taken to combat another common “hacker tactic” - phishing.
Perhaps doing something similar, like recognizing if a brand new device is trying to log in (and especially if it logs in from an entirely different country/VPN) would help a bit.
Your work is much appreciated!
While this is a big W in general, it looks like this will affect the RoPro plugin. For any that don’t already know, RoPro has 2,000,000 + installs, 360,000 + group members, and is subscription based ($ or gamepasses but also a free version)
I’m sure they’ll update to OAUTH2 if possible, but if that isn’t enough I can see a lot of users opting out. I myself wouldn’t because security is more important to me. So Roblox please work with RoPro to make the proper APIs work, and RoPro please don’t ask me to opt out
Didnt Expect this update, Roblox is getting better, First Killing exploiting, and now account theft? I LOVE THE TEAM BEHIND THIS PLATFORM!
You claim to be a “Web Developer” but have no idea what you are even talking about. Taking 2 minutes to read the post would probably be better than defaulting to “Roblox disaster”.
I hope this doesn’t affect asset uploading in the future, either directly through endpoints or through Tarmac. The ‘open cloud’ endpoints have been lacking for this use case; you still cannot upload rbxms to models, whitelist audios/videos, etc.
That’s great for account security, amazing work for roblox team!
This is probably the biggest and most useful account security update I’ve seen added to the platform. To the people who are working towards this getting fully rolled out, thank you so much. I’ve been in constant fear of losing my account due to clicking on sites for the longest time, and once this is out I’ll finally be able to have confidence in Roblox security enough to stop checking every link I see for typos like “roblicks” and etc. Really looking forward to it.
If this works and cannot be spoofed, then that’s incredible. I’ll feel much more at ease.
I appreciate this enhancement to account security and further appreciate the ability to opt out for those of us who need access to unsupported APIs. However, all my existing cookies have been wiped upon opting out requiring me to go back and update them in my scripts. Hopefully this could be changed for those who need to opt out in the future.
A HUGE roblox security update! Thank you! Just a few notes: Browser extensions run on client devices.
Maybe roblox doesn’t want browser extensions to do so, but this update won’t affect the ability for extensions to do so.
Edit: I mentioned something about Roblox restricting the ability for bots (that follow TOS), but I saw the ability to opt out, which is amazing. Just make sure to make it clear to users to not disable that unless they know what they’re doing.
Thanks for your question!, This will not affect VPN users since Account Session Protection is not based on IP
I doubt roblox would compensate them their ROBUX back
Great update ROBLOX, Another W
An amazing new feature until beamers trick people into turning it off! 
Stake in the coffin for those little organizations scamming kids through discord. This kills the majority of phishing techniques.
I really love how you can opt out of this to help devs still able to use cookies.
You can continue using the bot account, just opt out the bot as shown before harvesting the authentication token from browser.
Some of what you mention is covered by Open Cloud roadmap (e.g. group management APIs). For downloading specific versions of a place via Open Cloud please file a feature request if you do not see it on the roadmap.
(Note that messaging users in the way you suggest is not something we officially endorse. I would recommend filing a feature request on the need to send users notifications with a clarification on your use cases so we can properly fill the gap there.)
We continuously invest in safety of our APIs. We have entire teams working on these topics.
We’re making this announcement specifically because of the effect it has on creator usage of our APIs. Not all safety changes we make affect creator usage or are relevant to creators, so we don’t make announcements for every improvement in this area.
Can you clarify the question? We’re not removing any APIs due to this change, no.
No, this announcement does not mean to imply we will remove API endpoints. We are saying that the additional protections would make it much harder if not infeasible for your tooling to be calling these endpoints if you do not opt-out the authentication token.
Furthermore we’re trying to instill a best practice that your tooling should ideally not be using these endpoints and instead make feature requests for what you need to be added to Open Cloud, so we can properly accommodate for third-party tooling usage via Open Cloud, with proper contracts, scoped authorization and other best practices you will benefit from.
We realize that in the short-term this isn’t practical because it will take us time to offer everything you might need on Open Cloud, hence the opt-out is available for specific current scenarios.
Will forward this concern, thanks.
Seen and forwarded, thanks. Do you have any open thread on the .rbxm/.rbxmx issue you refer to?
Let me know if I’m understanding something incorrectly here, but to the best of my knowledge Studio doesn’t use any of the endpoints listed in this announcement if there is already an authenticated session. This change therefore shouldn’t influence the state of things here, right?
This is a big ask that I think has some open feature requests already. It doesn’t seem like there is actually a need to run Studio but instead have a way to run a headless engine for testing situations and such. I recommend funneling these needs into a separate thread as well. Rather than hearing the proposed solution it’d be great to learn more about the underlying needs because there might be multiple solutions for these needs.