Node.JS Error 401 when trying to use PrivateMessages API

icrann · March 25, 2024, 4:28pm

I’m attempting to access the Roblox Private Messages API specifically the V1 Send Post API. I’ve previously used many Roblox web API’s before without any issues including the games, users and open cloud API’s, however I’ve only encountered the error 401 when using privatemessages.roblox.com/v1/messages/send. The robloxCookie var I know is correct as I’ve used the same one for other API’s and it works flawlessly. I’m using the userId as the user who is sending the message and the recipient is of course who I’m sending to.

Node.JS Code:

async function send (request, response) {
    axios.post("https://privatemessages.roblox.com/v1/messages/send", {
        params: {
            userId: 4732473164,
            subject: "Test",
            body: "Test",
            recipientId: 492727430
        },
        headers: {
            Cookie: "x-api-key: " + robloxCookie,
            "Content-Type": "application/json"
        }
    }).then((APIresponse) => {
        response.send(APIresponse.data)
    }).catch((error) => {
        response.send(error)
        throw error
    })
}

Error:
"message": "Request failed with status code 401",

Thanks in advance for any help.

httpDerpyy · March 25, 2024, 5:13pm

Have you been able to use this specific API link before? It might be temporarily/permanently disabled. That is, considering your cookie is indeed valid.

icrann · March 25, 2024, 7:45pm

No this is the first time I’ve tried this specific API endpoint. I also know the cookie is correct as I’ve tested it on the games API just there now.

maaxyyyyyyy · March 25, 2024, 8:04pm

x-api-key is not the cookie name for the roblox cookie. it should be .ROBLOSECURITY

also you need to send the request with the x-csrf-token in headers which you can get from sending a request that results in a 401 and getting the token from the headers

icrann · March 25, 2024, 8:28pm

I’ve always been using x-api-key for sending my .ROBLOSECURITY cookie and it’s always worked fine. Also would you mind explaining the x-csrf-token, I’ve never had to use that before, thanks.

Working API’s I’ve used before:

maaxyyyyyyy · March 27, 2024, 7:53pm

GET requests don’t need any cookies so it simply ignores it. you’re doing a POST request now for private message sending so you need to have a valid cookie name and value

Cookie: ".ROBLOSECURITY=${cookie}"

X-Csrf-Token is a token is used to verify that the authenticated user is the person actually making the requests to the application

You have to pass is as a header value: X-Csrf-Token: "token"

you can get this token by making a POST request to an endpoint like https://auth.roblox.com/v2/logout with your cookie value. you will get a 401 error with the X-Csrf-Token in header and then you can pass it in your header for your actual request.

Also, your X-Csrf-Token will stay valid for up to 4 minutes

icrann · March 28, 2024, 1:31pm

Thanks for your help so far, I suppose that makes more sense. I have been making POST requests to the logout endpoint and I do get a 401 error in return, however no part of the response includes the x-csrf-token

Error Response:

maaxyyyyyyy · March 28, 2024, 6:39pm

you’re passing the headers as data and not actual headers

icrann · March 29, 2024, 10:37am

I’ve checked my code with the axios docs and I am sending the cookie as a header and not as data.

async function getAccessToken (request, response) {
    axios.post("https://auth.roblox.com/v2/logout", {}, {
        headers: {
            Cookie: `.ROBLOSECURITY=${robloxCookie}`
        }
    }).then((auth_response) => {
        response.send(auth_response)
    }).catch((error) => {
        response.send(error)
    })
}

maaxyyyyyyy · March 29, 2024, 12:09pm

Check that you’re passing a valid cookie. If you are, there’s probably something wrong with your code (I dont really program in javascript so I don’t know much about how axios works)