Legacy Cloud API - Batch Accept/Decline Join Requests returning 403

CartarBandit · March 24, 2026, 7:21am

Description
Sending a DELETE or POST request to https://groups.roblox.com/v1/groups/{groupId}/join-requests returns a 403 Forbidden, stating that the XSRF token is invalid.

Sending a GET request to the same endpoint returns a 200 status and the appropriate response data.

I have been able to reproduce this issue accross many groups and many different Roblox accounts.
This issue even occurs when sending a test request from the endpoint tester via https://create.roblox.com/docs/cloud/reference/domains/groups#groups_post_v1_groups__groupId__join_requests

Reproduction Steps

Make a POST/DELETE request to https://groups.roblox.com/v1/groups/{groupId}/join-requests
Include a valid .ROBLOSECURITY cookie
Include a valid/recently generated X-CSRF-TOKEN header.
Attach the {Roblox.Groups.Api.MembersRequest} body to the request.

Expected behavior

The API request should return a 200 status code and accept/decline their join requests respective to the endpoint call.

sandpaper200 · March 24, 2026, 7:27am

From what people have been saying, bulk accept and decline removed in the latest group layout change

CartarBandit · March 24, 2026, 7:30am

This is a breaking change and should be reflected in the documentation if true.

CardImplicitDress · March 24, 2026, 7:03pm

Thanks for reaching out! That route does exist and I was able to get back a 200 response when calling it from the docs website

This likely points to an issue with the X-CSRF-TOKEN you are passing in the request. Do you have problems with POST requests to any of our other endpoints?

CartarBandit · March 24, 2026, 8:32pm

Hi @CardImplicitDress,

Thanks for the quick response.
I do not have this issue with any other legacy API endpoint.

I’m able to send GET/POST/DELETE requests without issue to other endpoints.

Please note (off the top of my head) the endpoint tester says it returns 200 however inside the network request tab in the Dev Tools the request returns 403. I can test this later when I get back from work and send screenshots.

If you need any other information to narrow down the problem please let me know!

CartarBandit · March 25, 2026, 6:44am

Upon further testing I find that when using the docs page to test the endpoint it sends two requests.
The first request fails with a 403 citing the XSRF token validation error, the second request succeeding because it resends the request with the XSRF token sent in the response headers from the first request.

I’m still unsure as to why even though when I send a HTTP request with a valid XSRF token in a single request it returns 403.
Am I supposed to just accept that the first request will always fail and then resend an identical request with the returned XSRF token in the response headers?