We’re excited to announce that group members with corresponding permissions can now create API keys to access group-owned resources! What’s more, group owners can delegate trusted members as API Key admins to manage the group keys.
Open Cloud strives to boost creator efficiency by enabling you to build any tools you need to automate your workflows. We started with supporting API keys for these tools to securely authenticate into Roblox cloud, similar to how you’d configure a badge for someone to enter an office building and selected rooms. In our initial launch, only group owners are allowed to create API keys for their group. We understand that this is less convenient especially for large teams as API keys are highly sensitive information and many members would want to directly create them to automate their workflows instead of asking the owner every time. On the other hand, group owners may not have enough time to manage API keys all by themselves. They’d rather delegate the administration work to a few trusted members. As a result, we have added additional permissions in Group configurations so that the owners can authorize certain team members to use and manage API keys for the group.
To authorize your team members, go to the “Roles” section of the Configuration page for your group and then turn on the “Create group API keys” for certain roles or creating a new role. Turn on “Administer all group API keys” for the roles you want to assign as admins. Note that API key admins can not only see all of the keys in this group including those created by others but also edit or revoke any key at any time so that they can investigate security incidents and take necessary actions to protect group resources. We highly recommend only giving this permission to a small number of trusted members. On the contrary, normal API key users (non-admin) can only create new group API keys and edit those owned by them.
Check out this tutorial to learn more about this feature! In the meantime, we’re all ears for any feedback you may have.
Roblox is killing it with these updates, great work team!
Question about Cloud API keys,
Is there a plan to incorporate read/write API keys for Datastores? Let’s say if I want to post leaderboard stats on like my website or something. Currently, I have to use an external database.
In full seriousness, this is fantastic to see! I’m hoping to see this be used for auto-ranking bots (when the permissions open), whether it be via Roblox games or Discord community servers. For now, it’ll be cool to potentially see in-studio clothing creation plugins?
Good luck to all developers that plan ambitious changes with this!
Seems like this update has some great potential over time. I was wondering, would you consider adding a ranking API option? Such a system could reduce the demand of groups using automated bots to do the same thing (ie: accepting group requests, ranking people on acceptance of an application). Of course, there would have to be some rate limit and preferably a rate limiter to prevent abuse intentionally or unintentionally? Would also be nice to have broadly most group management functions but ranking would be a good start.
Thank you for this! This really helps us. I’m not sure if you’re aware of this, but the API is currently returning 500 errors after successful uploads. I’m happy to message Bug-Support about it (still not able to post in Bug Reports), but it might be something related to this work?
Here’s an example of using the API using curl. As you can see, the upload succeeds but the API returns
HTTP/2 500.
> curl --verbose --location --request POST 'https://apis.roblox.com/universes/v1/$redact/places/$redact/versions?versionType=Published' --header 'x-api-key: $api_key' --header 'Content-Type: application/octet-stream' --data-binary @file.rbxl
* Trying 128.116.117.4:443...
* Connected to apis.roblox.com (128.116.117.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.roblox.com
* start date: Aug 13 22:53:34 2021 GMT
* expire date: Aug 13 22:53:34 2022 GMT
* subjectAltName: host "apis.roblox.com" matched cert's "*.roblox.com"
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x12780b600)
> POST /universes/v1/$redact/places/$redact/versions?versionType=Published HTTP/2
> Host: apis.roblox.com
> user-agent: curl/7.77.0
> accept: */*
> x-api-key: $redact
> content-type: application/octet-stream
> content-length: 26719633
>
* We are completely uploaded and fine
< HTTP/2 500
< date: Wed, 02 Feb 2022 02:05:29 GMT
< server: Kestrel
< content-length: 0
< report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]}
< nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1}
<
* Connection #0 to host apis.roblox.com left intact
I have a question regarding future APIs and the Open Cloud concept. For a huge while now, I have been using the Roblox Web APIs (found on the GitHub post here) and was passing the cookie whenever needed. That being said, the API is rich of functions and endpoints to which we are able to utilize to basically manage the entire account. Considering that in the future Open Cloud will be replacing the Web APIs (or at least that is what I assume), do you plan to update the Web APIs for us to continue to utilize them but with the ability to pass an API key, or do you plan on using a brand new URL (for instance, the place publication one uses apis.roblox.com)? I do like the fact that the URLs are separated between different types of endpoints (chat, group, authentication, catalog, etc), so I am wondering if you are planning on porting the API to the already existing URLs and simply add the ability to pass in a header with the API key. That is all. Nevertheless, amazing update and I can’t wait for more API types to be released!
Hey Batimius, we want to enforce the same API standard for Open Cloud so it’s easier for you to learn and maintain. Therefore, the plan is to always use the same domain: apis.roblox.com and append each service afterwards.
That is understandable. Thank you for clarifying. If I may ask, do you plan on porting (almost) every already-existing API over to the Open Cloud, or only a limited selection? I am just wondering on whether Open Cloud will be a replacement of the web APIs or just another way to make (more secure) requests to the Roblox servers. Thank you!
Discord bots & Cookies, which is a pain as it’s obviously undocumented and ever-changing.
Another example of the pains is with studio CI/CI the new endpoints that haven’t been announced meant that we’re adding RBXID, and you bet we don’t know about what it does other than that it expires every 7 days…
On the topic of discord bots and previous APIs, as previously the biggest problem was people abusing the webhooks and spamming them with a lot of useless stuff, what measurements are you going to prevent this problem? A ratelimit on roblox side of things would slow things down, but people found a way to try and bypass it.
@lexandstuff could you check again if you are running into the error and post time (including time zone) you hit the error. We’re trying to see if the issue is transitive or not and hoping. Thank you reporting and helping us understand the issue.