Open Cloud API Key Status Improvement

Hi Developers,

We are excited to announce an improvement on Open Cloud security: API keys that are unused for more than 60 days will automatically expire starting Jan 5, 2022. In addition, you can now see detailed status of your API keys on the Creator Dashboard.

Open Cloud allows you to build tools and applications that can securely access your resources in Roblox cloud, such as places and player data, through standard web APIs. In the long term, we strive to empower a thriving application ecosystem that helps maximize your productivity. To begin with, we launched API keys so that you can configure granular permissions needed for your tools, similar to setting up a badge to enter an office building and corresponding rooms.

API keys are a convenient way to create the credentials you need. However, sometimes you may generate a key for temporary usage and then forget about it. When a bad actor steals the key, they can still use it to access your resources.

To mitigate this risk, we now monitor the usage of your keys and if there is no activity, including sending API requests and any edits, for more than 60 days, the system will automatically expire the key. Once it’s expired, a bad actor won’t be able to access any of your resources anymore. If you want to use the key again, you can simply make an update to the key or toggle the enable/disable button on the API key edit page.

In addition, you can now see the detailed status of your keys. If the key is ready to use, the status will be “Active”. Otherwise, the UI will show reasons for the key to be inactive, such as “Expired”, “Disabled”, etc. A tooltip will show more explanations for each status when you hover. You may need to take multiple actions to reactivate your key.

We hope you enjoy this update! Check out the “API Key Status” section in our documentation to learn more. As always, please don’t hesitate to leave any feedback so that we can keep improving.

Happy building,
The Roblox Creator Services Team


This topic was automatically opened after 10 minutes.

Will we be able to create keys with Open Cloud?


I think the key should be hidden in the panel until you hoover over it:

Like on discord and other apps:

This would be great in case we accidentally left some chrome tabs open while streaming or something like that.

Edit: The key used was deleted right after making screenshot


Not sure if it already does, but potentially also have it hide after some time. So it’s not constantly visible either.
Also, if you mess with such keys on stream, I would recommend making new keys after stream anyway, otherwise completely close such tabs.


@luketeam5 The key is only shown on creation. It is not shown again.

Just don’t broadcast you creating keys and you will probably be OK.


This is a really nice feature addition. There are a lot of token out in the wild that are active and can lead to stolen accounts. Having dead keys expire after a period of inactivity will prevent this greatly and provide a natural second-layer of security to those who accidentally leak their own token.

99% of developers have done this. Including me in my earlier years. This is a real life example and one that many developers should relate to in some capacity and hopefully, learn from.

This is such a life saver. I hate testing keys to figure out something so simple. Thank you for thinking about this. A lot of other services out there should take note of this. Documentation is pretty good too!

Is there a timeline as to when other APIs will become public through the Open Cloud?

There are a multitude of libraries (including mine) that want to switch to this system to provide better security to our users (cookies are bad) but, we just don’t know when the said services will be migrated to this. More clarity in this area would help greatly.


I would make that a setting with hover to view the default.


Please extend Open Cloud beyond place publishing. I really want to see a datastore explorer created in the web instead of from inside a game.


I 100% agree with that. I would not say a major issue but if you are sending a picture or vid you would want to make sure you don’t accidently send it.


I don’t think this is bad idea. It might make issues to underrated games like my games.


Can’t wait to use this once you support creating keys for Group members!


To my knowledge API keys(which the post is talking about, not account cookies & account tokens) are used for individual end points of the apis & can’t be used to gain direct access to your accounts. As one of their reasons to create Open Cloud is to prevent the bad habit of making use of your cookies/session tokens for apis, as those do give complete access to your account. Of course it still creates an invulnerability & gives them some control which we wouldn’t want either way.