Will endpoints that require no authentication/cookies stay public?
Thanks and yes, endpoints that require no authentication will continue to stay public for the time being. We will make an announcement if any of the endpoints get deprecated in the future.
So, are there plans on outright removing these endpoints or just adding session protection? It seems very unclear on what the plans truly are here and I am concerned that browser extensions may continue to use the “session locked” token in order to retain the ability to use these endpoints on my behalf even after this date
Thank you for the feedback! We will coordinate with Open Cloud for the enforcement of Account Session Protection to avoid disruption to creators’ user cases.
What about APIs like data.roblox.com and the develop APIs? I use these to upload and edit models as well as editing asset permissions. Will authentication for these APIs stay the same?
Thanks for the question! For the time being, this will not affect other APIs. We will coordinate with Open Cloud for any future API enforcement on Account Session Protection.
Is there a way where I can talk to the lawyers that represent roblox?
This is great news! Will this affect users who use a Random-User Agent, such as myself?
I’m glad Roblox cares a lot about their & our security now 
Again, Thanks a lot of updating and improving the platform security for all of us!
Great addition for security, but I am currently relying on cookies to rank people in my group. Are there any alternatives currently?
Thanks for the feedback. I believe that endpoint is currently unauthenticated, in that case, your use case won’t be affected.
Holy moly roblox, this is genuinely one of THE best updates yall have ever pushed, this has been plaguing roblox forever. W.
In addition to this question, I don’t know much, I’m just asking to learn, sorry if it’s a stupid question. This feature is enabled in my account, I copied the cookies and pasted them to another device, my account is opened. What exactly does this feature do?
I like how this was marked as the solution. Very rarely is a community post the solution in #updates:announcements lol
It just goes to show how much potential this update has if implemented properly
Haha yes, I was very surprised when I saw that it was marked as the solution as well! 
Say a hacker stole your cookie before this update. They could use it to basically do anything they wanted with your account, since the cookie is like a key that could work anywhere on Roblox.
This update makes it that your cookie only works on the IP it was created on. The hacker would need access to your physical internet router in order to abuse your cookie, which basically stops them (unless they live with you).
I do actually think it could be HWID locked, since IP locks are notoriously easy to bypass.
Amazing work, thank you for this one. This is actually such a huge update, cookie stealing has been around for as long as I remember and it’s something I’ve always been concerned about.
Does that mean that websites like BloxFlip will not be working anymore ? (i hope it will)
sounds like a dumb idea not to undo it. just lock it behind an email or smth…
claps claps Big W Roblox. Two very good security updates in the past week.
As someone who deals with system level software in the real world, I’m surprised that this wasn’t implemented a long time ago on the platform. Tying the session cookie to the device should have been SOP from the start. Browsers do have more functionality available today than they did 10 years ago via client side JavaScript. So how is Roblox handling session fixation which can lead to the user’s cookie being stolen in the first place?
bro just confessed to gambling on BloxFlip 
