Mechanisms for automated access to (part of) the web API through bot accounts/tokens


As a Roblox developer, there is no official way to interact with any web API in an automated fashion. To create bots, Developers would create new Roblox accounts and use them as their bots. Recently, Roblox added a new captcha system which essentially broke bots. This makes it very challenging to create a bot. This captcha system was needed to ease down the huge wave of malicious bots that was basically taking over Roblox.

Suggested solution:

I propose to add official mechanisms for automated access to (at least a part of) the available Roblox API endpoints.

Example of an implementation of the solution: (Bot accounts)

To create a bot, a user would go to the Develop page and click a button that would lead to the bot creation process. Here, the bot creator would give the bot a name and a profile picture if they wish for the bot to have one, otherwise, there would be a default profile picture. After the bot has been created, a bot token would be created. This bot token can be used as an authentication key that allows the developers to perform actions through the bot.

To prevent any abuse of this bot, there would be restrictions to this bot. Bot accounts will not be like regular player accounts. They can’t have friends, followers, or follow any users. They also can’t like or dislike games or private message users. They would be allowed to post on the group wall but the rate at which they can post messages would be limited. The user would also have the ability to generate a new bot token in case their bot token is compromised.

When a bot is added to a group, the user could assign a role to the bot or there can be like a system where the bot is granted certain permissions. Only the bot creator would be able to invite their bots groups. To add a bot to a group, the bot creator would have to have developer access in the group and if the bot creator is not the group owner, then the group owner would have to accept the request and grant the bot the permissions it needs.


I know that my request requires a lot of work in order to make it a reality, however, it would help a lot of developers. For example, if this was implemented, it would make it possible for me to create an automated process for ranking people up in a group from outside of Roblox games. Moreover, this would allow better integration with popular community tools outside of Roblox which are necessary to drive engagement and community value for our games.

There are many other uses for bots that I know that a lot of developers would find very useful, please comment below if you have any additional use cases yourself. Thank you for reading, and let me know what you think about this idea.


I’m Qxest and I maintain the noblox.js API wrapper that users use to interact with Roblox’s API. This is not the only API wrapper out there but it is one of the most frequently used API wrappers for Roblox.

Major Problems

As a Roblox developer, it is currently too hard to use Roblox’s API without using some kind of API wrapper. API wrapper developers face the problem of running into the X-CSRF-TOKEN problem. The problem we have with X-CSRF-TOKENs is that they’re required in almost every request we send to Roblox’s website (list of endpoints from a website that use CSRF token listed at bottom), like the shout endpoint, and that it refreshes in an unpredictable manner. You can’t get an X-CSRF-TOKEN without a dirty hack that involves sending a request to some endpoint like logout (despite not being logged in) and getting the X-CSRF-TOKEN from the header on the error response you get back.

Endpoints that use CSRF token
Thank you Gamenew09 for helping me compile this list.

Just recently, Roblox released an update that placed a Funcaptcha (turn this duck right side up-type captcha) on certain pages preventing many bots from logging in. This stopped the spam bots, but it did also take down bots and web APIs that logged in and used Roblox’s API for non-malicious reasons including ClanLabs (group management system used by many clans including FEAR) and the bot that accepts players into the DevForum group on Roblox. As Roblox continues to release new updates that are meant to counter malign bots, legitimate bots are disrupted in the process and so Roblox should release an ecosystem empowering users to create good bots while at the same time preventing bots from abusing the API.

What if the user wants to use a bot with their account? Right now when logging in and you use a captcha solving service, you put in your username and password which grants full access to your account rather than select permissions. You can’t tell the API wrapper what permissions you (don’t) want it to have access to which poses as a security risk.

Proposed Solution

I propose that Roblox implements a developer token system. A developer token system would allow users to interact with Roblox’s API without facing all of the above problems. Verified Roblox users (verified email on account, probably 13+) would have access to a page in My Settings that would allow them to generate an API access key. Limiting this to verified Roblox users would help on eliminating bots created by amateurs for mischievous purposes and an age limit would help prevent unsuspecting children from creating a token without understanding the dangers of making them. How do you reduce the number of bots generating these keys and continue users to create legit bots? Implement a captcha here. Because the user would rarely be making these developer tokens, a captcha would make sense because it would help eliminate bots from creating a bunch of developer tokens and would be as little of a hassle to the user as possible. These API access keys would be similar to how Discord allows users to create bots and receive a token which they can use to interact with the API.

By enforcing rate limits, Roblox can also attack the bot problem using these developer tokens. Discord has rate limits on their API and when you do something dumb like send a bunch of POST requests to one endpoint, you get rate limited. What if you hit the rate limit way too often? You get banned (and possibly other accounts that have been used on your IP address though this may not do much good).

With developer tokens, Roblox can implement a permission system which allows the API to access certain endpoints and restrict access to others. Maybe a user wants the bot on their account to only rank users and not be able to spend Robux on the end-user’s account.

Sample Usage

  • User signs up for Roblox (or uses an existing account)
  • Verify account if they need to
  • Goes to Developer Tokens page
  • Creates new Token and selects permissions it wants the token to grant
  • Places Token in API wrapper or sends it with requests to Roblox API


Implement developer tokens so we don’t have to send X-CSRF-TOKEN and .ROBLOSECURITY cookie with every request sent to Roblox API.


I’m going to bring this issue up again. It’s hard for me to rewrite noblox.js without being logged out on every session. The current codebase is incredibly messy and it lacks a bunch of features. When I run my current code, I’m logged out on my browser and have to log back in every time. The whole process is inefficient and unreliable. People are unable to use free platforms like Heroku and Glitch without unnecessary workarounds. Through all this, the point made in December about this not stopping bots still stands. Implementing a token system with specific requirements for features that can be abused easily can help reduce the amount of malicious bots on Roblox.


Considering this affects me such as my tutorials I wrote:

Is there any staff who can respond to this, a good majority of clans depend on these bots.


As a ROBLOX developer, it is currently too hard to create supported Bots which interact with the ROBLOX API. With the out of control scam botting and other harmful content, we have nearly lost the ability to make useful functional Bots due to FunCaptchas and various Anti-Botting measures being put in place.

I propose a system similar to how Discord bots work, where Bots are created under the User and require an API key to function. These bots would be rate-limited and can have automated checks to ensure they’re not going around promoting scams/harmful content. Additionally, bots could have a Permissions system to fine tune what APIs can be accessed (such as only access to Groups and Chats API for a Group Management Bot). This would enable so many new possibilities while still making it possible to keep users accountable for their actions.


As a developer on the Roblox platform, who specializes in creating websites, and services, I am always finding a reason that I need to be able to work with Roblox user accounts to perform automated-bot actions. I have a few reasons that have persuaded me to make this post.

I am always finding myself in a predicament of trying to find and fix API issues without having a native, supported bot API, and sometimes have to find new ways to solve captchas in real-time, which can be quite expensive, and at some points, unbearable for site developers like me.

For users, this makes it easier to differentiate a bot from a typical player; this also allows Roblox to have more control over what’s going on with bots on the platform. I can only assume how many bots there are on the Roblox platform that perform unnecessary requests because there is no documented API for developers outside of Roblox. Yes, every subdomain has documentation; however, they change, and you sometimes don’t know until it’s affecting your end-product.

Having no developer supported bot API is such an issue that people on the Roblox platform pay for people to host bots, and other services like that for them. There must be thousands of people who pay or use bots, which are just clogging up the normal user count. On another note, I know that there is considerable demand for bots, I know this because I own a service named myCenter – a service made around automation and applications that has over 5,000 groups joined on our platform in a matter of a few months. I’ve also seen a lot of other people creating services for the sole purpose of creating bots, which have hundreds of users.

Now with all great things comes with restrictions, this bot API should be limited, of course, actions such as liking games, messaging, and the following players should be disabled to prevent abuse.


It’s sad to see that Roblox has never actively reported or shared their thoughts about a proper system like this. The current APIs work, of course - but I’ve had to update the endpoints and change some backends of my own projects to make sure that they would still work with a new system.

They are also spread over a few domains. We’re missing some proper, centralized, documentation.

Come on, Roblox. You can do way better.