We recently rolled out several updates to Group roles in Creator Hub to give you and your team more granular control over managing secrets. In the past, only group owners could handle secrets-related tasks, which created bottlenecks in team development workflows. With the new permission updates, you can now delegate these responsibilities to group members, helping your team collaborate more efficiently and move faster.
Here’s what’s new:
1. Edit permissions now automatically include secret-listing access
Group members who have permission to edit an experience will now automatically be able to see the list of secrets for that experience. When navigating to Creator Dashboard and selecting the experience, they will now have access to a read-only version of the Secrets Manager page, which was previously only available to group owners. This update applies to both group-wide and per-experience edit permissions.
2. New permission for managing secrets.
For team members who need more control, we have added a new permission “List, create, update, and delete secrets for all group experiences”. Group owners can now assign this permission to specific roles, granting your group members capabilities to manage secrets for all experiences owned by the group. This is also available as a per-experience permission.
New permission for listing, creating, updating, and deleting secrets
We hope this change will help streamline your team’s development workflow and improve collaboration. As always, we welcome your feedback and questions.
If you have an external service, e.g. one that keeps track of servers in your game; you’d need a layer of authentication infront of it, if a bad actor gets ahold of your source, and there’s no authentication: you’re screwed.
The simplest thing is to add a basic header key-value check, essentially Authorization=SECRET_KEY.
Now you just need a place to store the SECRET_KEY, here is where Roblox’s secrets store comes in.
Others have already explained it well but here is the link to the public document in case you want to explore more: https://create.roblox.com/docs/cloud-services/secrets. Secrets (API KEY, access token, etc) are used together with HttpService so your experience can authenticate safely when calling external services outside of Roblox.
I’m still looking for Playtest all group experiences to do as labeled:
Setting that permission does not allow for users to playtest paid access games. I would like either the current setting to encapsulate this behavior, or for there to be an additional setting that grants users access to paid experiences.
