We recently updated the Open Cloud reference to better publicize the full list of available endpoints.
The reference is now broken into two sections:
A feature-based section that categorizes APIs by use case (Avatars, Game Passes, Users, etc.).
A more traditional section that separates APIs by system version (i.e. Open Cloud v2, v1, or Legacy) and then categorizes them by subject.
Both sections contain the full list of available endpoints, so we’re interested in hearing your thoughts on discoverability and usability. Does the feature-based section help you find new APIs that you haven’t worked with before? Do you see yourself using both sections, or does one seem much more intuitive and useful than the other? Which features do you use most frequently, anyway? Please check out the new Open Cloud reference and let us know.
We’ve also standardized our definitions of stability. All APIs that support API key and/or OAuth 2.0 authentication now use the same stability definitions as Open Cloud v2 and v1. Initially, all Legacy APIs with API key support will be at “beta” stability. We’re looking to add secure authentication and better documentation to many more cookie APIs in the near future, so stay tuned as we continue to build out Roblox’s Cloud API surface.
A better way to authenticate for legacy APIs, that doesn’t involve cookie stuffing and also creates a unique token for that session, is to use the quick login protocol, I’ve got a guide on it somewhere. This is fairly safe as from my testing it only works for devices that have the same IP address.
It’d be nice to have a more automated way to log in that doesn’t involve captcha challenges but I get why this is done.
I haven’t used this system I don’t think, but it seems very powerful. There’s a lot here.
I’m looking at the documentation with the list of APIs to Get. Does POST mean WRITE? There’s also PATCH, DELETE, and maybe something else I’m missing.
Are all of these accessible to us developers/anyone? Or, is it like RBXScriptSecurity where only Roblox can access some things? I wouldn’t want others to have access to my phone number or control verification information and whatnot. I see the occasional 401 error code mentioned in the docs: “0: Authorization has been denied for this request.” I assume that means privacy is intact.
A POST request usually creates/modifies something, a PATCH request is also used to modify something, and a DELETE request deletes something.
These are accessible to anyone, but if you do not have the credentials to access an account, you can not do anything. So if you try to mess with a random persons account you will get a message saying “Unauthorized”. If you give someone access to your account by sharing your auth cookie then they can use any endpoint and do whatever they want with your account. Or you can use OAuth2 or api keys to share limited access to parts of your account