Is there a way to get the X-Csrf Token automatically?

When i take the Token from my home page and input in this function my request goes through however every few minutes the Token changes is there a way to automatically get it?

local function postasync(URL, DATA, HEADERS)
	return httpservice:PostAsync(URL, httpservice:JSONEncode(DATA), Enum.HttpContentType.TextPlain, false, HEADERS)
end
local headers = {["Cokie"] = "Blah Blah", ["X-Csrf-Token"] = "Blah BLah"}
print(postasync("https://accountinformation.roproxy.com/v1/description", data, headers))

If I remember correctly, sending a request to https://auth.roblox.com/ (so like auth.roproxy.com probably) will have the Token in the response’s headers

I did a RequestAsync to https://auth.roblox.com and checked the headers but the Token wasn’t in there

Did it include your .ROBLOSECURITY cookie? Edit: hold on, doing some investigating

Ok, so it’s actually: https://auth.roblox.com/v2/logout, and here’s some working code I wrote to get the token:

local cookie = "cookie here"
local httpService = game:GetService("HttpService")
local maxAttempts = 5
local cookieValue = cookie:find("|_") and cookie:split("|_")[2] or cookie

local try = function(func)
	local success,response = pcall(func)
	if not success then
		local lastRequest,attempts = tick() - 0.1,0
		repeat
			if(tick() - lastRequest < 0.05) then
				task.wait()
			end
			success,response = pcall(func)
			lastRequest = tick()
			attempts += 1
			if not success then
				warn(response,"retrying")
			end
		until(success or attempts > maxAttempts)
		return success,response
	end
	return success,response
end

local getToken = function()
	local success,response = try(function()
		return httpService:RequestAsync({
			Url = "https://auth.roproxy.com/v2/logout",
			Method = "POST",
			Headers = {
				["Content-Type"] = "application/json",
				["Cookie"] = ".ROBLOSECURITY=" .. cookieValue
			}
		})
	end)
	if success and response then
		return true,response.Headers["x-csrf-token"]
	else
		return false,""
	end
end

print(getToken())

I wrote it as such to handle errors and automatically retry, as the web API is notoriously annoying to work with and can error at any time.

Personally, I’d use promises over my janky retry method, but this is what works for now.

Most often when a request fails it returns a valid x-csrf-token within the response return headers, that you can then use on the request headers and retry with the same parameters. Basically you can get the token by making a single failed request first.

Also I think you need to use RequestAsync in order to use headers for HTTP requests.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.