Node.JS Error 401 when trying to use PrivateMessages API

I’m attempting to access the Roblox Private Messages API specifically the V1 Send Post API. I’ve previously used many Roblox web API’s before without any issues including the games, users and open cloud API’s, however I’ve only encountered the error 401 when using The robloxCookie var I know is correct as I’ve used the same one for other API’s and it works flawlessly. I’m using the userId as the user who is sending the message and the recipient is of course who I’m sending to.

Node.JS Code:

async function send (request, response) {"", {
        params: {
            userId: 4732473164,
            subject: "Test",
            body: "Test",
            recipientId: 492727430
        headers: {
            Cookie: "x-api-key: " + robloxCookie,
            "Content-Type": "application/json"
    }).then((APIresponse) => {
    }).catch((error) => {
        throw error

"message": "Request failed with status code 401",

Thanks in advance for any help.

1 Like

Have you been able to use this specific API link before? It might be temporarily/permanently disabled. That is, considering your cookie is indeed valid.

No this is the first time I’ve tried this specific API endpoint. I also know the cookie is correct as I’ve tested it on the games API just there now.

x-api-key is not the cookie name for the roblox cookie. it should be .ROBLOSECURITY

also you need to send the request with the x-csrf-token in headers which you can get from sending a request that results in a 401 and getting the token from the headers

1 Like

I’ve always been using x-api-key for sending my .ROBLOSECURITY cookie and it’s always worked fine. Also would you mind explaining the x-csrf-token, I’ve never had to use that before, thanks.

Working API’s I’ve used before:

GET requests don’t need any cookies so it simply ignores it. you’re doing a POST request now for private message sending so you need to have a valid cookie name and value

Cookie: ".ROBLOSECURITY=${cookie}"

X-Csrf-Token is a token is used to verify that the authenticated user is the person actually making the requests to the application

You have to pass is as a header value: X-Csrf-Token: "token"

you can get this token by making a POST request to an endpoint like with your cookie value. you will get a 401 error with the X-Csrf-Token in header and then you can pass it in your header for your actual request.

Also, your X-Csrf-Token will stay valid for up to 4 minutes

1 Like

Thanks for your help so far, I suppose that makes more sense. I have been making POST requests to the logout endpoint and I do get a 401 error in return, however no part of the response includes the x-csrf-token

Error Response:

you’re passing the headers as data and not actual headers

I’ve checked my code with the axios docs and I am sending the cookie as a header and not as data.

async function getAccessToken (request, response) {"", {}, {
        headers: {
            Cookie: `.ROBLOSECURITY=${robloxCookie}`
    }).then((auth_response) => {
    }).catch((error) => {

Check that you’re passing a valid cookie. If you are, there’s probably something wrong with your code (I dont really program in javascript so I don’t know much about how axios works)

1 Like