IP Changes Invalidate Cookie

As I mentioned earlier, they can easily take this time to look for alternative methods that would get them the same result. This is why a lot of us have seen an uptick in fake discord server mods scams where people essentially fake screenshots and then impersonate a moderator of a server. From there they try to capitalize on the fact that you’re panicking about something you haven’t done and ask you to reveal information that you otherwise wouldn’t of had given up.

In a normal society, that would make perfect sense but, this is Roblox and I can assure you that they’re far from normal. Unless they say the words “we officially supported bots”, it’s not officially supported. OpenCloud is a push towards that. However, with the current methods used to login, Roblox wouldn’t support a use case that can directly lead to the loss of someone’s account. Especially when they’re going this far to prevent it. “Web Developer” can literally mean anything web-based. Not everything web-related has to do with APIs.

If you’re testing a system (A/B testing) that relates to security, what are one of the things that they’re testing for?

Integrity. More specially account integrity.

If you’re an attempting to develop an exploit that directly phishes accounts, what do you think that exploit is targeting?

Integrity. More specifically account integrity.

By the transitive property of common sense, we can conclude that they want time with minimal interference to make sure that this system is concrete. Announcing it across the platform while it’s not concrete is not a smart play.

Truthfully, I don’t know what it is someone could develop in this time span because I don’t actively phish accounts. That being said, just because we don’t know doesn’t mean that someone else doesn’t.

If you’ve ever worked at a big company, it definitely isn’t one person. It’s a team of people. Often times cross functional. As weird as Roblox is, I think that they thought about this for a while and that this is a change that needed to happen in order for us to get anywhere in terms of automation support on this platform.

1 Like

This change (or at least what I believe this change is intended to be) would prevent all methods of stealing cookies to gain access to someone’s account, including cookie logging and sending people the cookie through some other means.

They can look for “alternative methods” (which would be vulnerabilities if they existed) during this time as well.

1 Like

I know, I was using that as a example about how it could easily be overlooked.


I’ve had that happen to me twice.

They’re incredibly annoying when you can’t get hold of a real mod/admin of the server to report the issue and get unbanned.

I’ve now disabled Direct Messages from Server Members for all servers to stop it happening.


If you look through the devforum you can see cases where staff respond acknowledging and ticketing unintended endpoint behavior, so they are maintaining the endpoint based on user’s reports.


Those endpoints directly affect users. So any issues that you find on those endpoints can affect users. If this wasn’t the case, they wouldn’t care.

Well after a few years Roblox is finally doing something about compromisers I guess

1 Like

I would rather you be inconvenienced than the community have their accounts risked through cookie logins. Better security trumps whatever off platform web api nonsense you are doing.

The percentage of users getting their accounts stolen outweighs the small fraction of web developers on the platform.

Better idea: allow users to enable/disable cross-IP cookies.

  • User accounts will have improved security.
  • Automation can still go through as usual (as those accounts can opt-out).

We are only facilitating small & large groups, such as 2M+ member communities. It’s a significant portion of the Roblox experiences.


This is not a small inconvenience, to get the token to use in the integration you need to login to your roblox account and grab it, but when you put that token into the integration it will then be invalidated due to it having a different IP. Basically it will be extremely hard to do any sort of integration with this change.

It broke our place publishing, our game when published to github pulls models from another place and then publishes the game and models to roblox. But since the cookie now gets invalidated this means that this does not work at the moment and we cannot release updates.

This change is hurtful to my ranking/management service and that of countless others within the community. Many of the core features that we provide revolve around using client-provided .ROBLOSECURITY cookies, necessary for their intended functioning. This is hurting us and our users who have already been affected by this change. Due to the way our infrastructure is scaled, there is no feasible way for us to circumvent this change in a manner that allows us to continue with our current feature set.

I am rooting for all other developers and services out there that this change is reversed, and or an alternative method of authentication for scenarios similar to this is introduced and provided in a timely manner. The fact that this change was made without any advance notice or even at the least a statement notifying of this change (of any sort) is very appalling.


Breaks our game.
Seems shortsighted to remove this feature.

Perhaps an alternative solution if this is intentional is the ability to label an account as an automated account.
I.E Like discord bots, would allow for automated accounts that dont have this issue while also protecting users from cookie stealing.


I believe this is coming soon: Open Cloud API Keys Now Support Groups!

1 Like

Coming soon is not enough. This update breaks my applications and is also very counter intuitive - Roblox encourages us to authenticate with cookies when making API requests - even when we do not necessarily need to be authenticated, and gives us higher rate limits. This change is good for security but cannot be rolled out until there is another solution.

EDIT: Maybe we can see a solution as to whitelisting IPs, such as many other providers offer? This would allow me to whitelist my VPS.


What are you on about? There is only one time the captcha is needed which costs about 5 cents, and thats to retrieve the account cookie. The amount of members does not matter.

1 Like

Alot of services use multiple IP’s which would mean every time the service needs to do something on another IP it would need to complete a captcha, you can’t assume that Chris uses a fixed IP for everything.


Roblox decided to use a wrecking ball and destroy every application that uses their APIs with this update…

I use proxies for my ROBLOX projects constantly & with this brand new update coming into play, I receive 401s always & every cookie invalidates. This has to be possibly the worst update they have come up with… by far…

Please revert this update; all of these applications have gone into the wasteland after this update & which makes it impossible to use the API without getting rate-limited or receiving an unauthorised response.


That’s not how it works, if you’re running it on a VPS, probably do more research?

How this works is that it’ll grab a new Roblox account cookie if the cookie is invalid, this is repeated.

1 Like

God this is gonna mess up a ton of bots and websites.

What I would love to see is the Roblox team make it more easy for us to create applications with the web endpoints. Ngl the guide itself is not that clear for beginners.