Hi Creators,
We are thrilled to announce that everyone can now create their own OAuth 2.0 applications! This will allow you to make external websites, tools, bots, and other software that not only lets users sign in with their Roblox user identity but also get their consent for your apps to access their Roblox resources.
Check out this video to see how OAuth 2.0 works:
Open Cloud strives to unleash a vibrant 3rd-party application ecosystem to serve the diverse needs of the community. It includes a rich set of standardized APIs and an authorization/authentication framework that allows these APIs to access Roblox Cloud. We started with API keys as the auth method so you can write your own scripts and tools. OAuth2.0, on the other hand, allows you to build applications that can be used by the rest of the community.
Getting started is easy, here’s how you can create an app:
Note: You must be ID Verified to be able to create OAuth 2.0 apps.
OAuth 2.0 & Available APIs
OAuth 2.0 is an industry-standard protocol. It provides a framework for users to grant limited access to their protected Roblox resources, such as their inventory, to another application without sharing their username and password. You can request to access the following permissions (a.k.a. scope in OAuth terminology) in the app edit page:
| Scope | Applicable API | Functionality | Use Case |
|---|---|---|---|
| openid | GET /oauth/v1/userinfo | Get Roblox User ID | Validate a user’s Roblox identity, or “Sign in with Roblox” feature |
| profile | GET /oauth/v1/userinfo | Get a user’s username, displayname, profile link, etc | Display such user info in your app |
| asset:read | GET assets/v1/operations/{operationId} | Read assets or asset related operations that are accessible to the user | Read moderation status of an asset. Check the asset creation operation result. |
| asset:write |
POST assets/v1/assets PATCH assets/v1/asset/{assetId} |
Create and update assets on the user’s behalf | Create assets such as images using external tools and batch upload |
| universe-messaging-service:publish | POST messaging-service/v1/universes/{universeId}/topics/{topic} | Send messages to a topic of the cross-server messaging service | LiveOps, e.g. launch events using a web portal |
Wait, did we just say the Asset Creation API is available in OAuth 2.0? Learn more here. We’ll keep adding new APIs to OAuth 2.0 to unlock additional features that you can build. Feel free to reply with what APIs you’d need most. We’ll take that into account!
App Review & Publishing
To keep users safe from malicious apps, there is an upfront review required for OAuth 2.0 apps. Here’s how it works:
- By default, your app is in “Private mode” with a limit of 100 authorized users. You can test and debug your apps with your team members in this mode.
- Once you are ready to have more users, publish it in the app edit page.
- Our moderators will review your app and make a decision (approval or rejection). You will get emails regarding the results within a few days.
- If approved, your app is in Public mode without any user limit. Otherwise, you can modify your app and submit it for review again.
- For all apps in public mode, any changes on the app edit page will need to be reviewed and approved again before the changes are exposed to your app users. We recommend cloning your app to test and debug before publishing again.
Check out this guide to learn more about the process. We’ll continue making further optimizations such as allowing you to add collaborators who can test the app, rather than the arbitrary 100-user limit. Stay tuned!
OAuth 2.0 has been a massive effort for us. We’d like to thank everyone who participated in the private beta program and offered their invaluable feedback! The program will continue being active with all new features and APIs first released there. If you’re interested in early access and offer us feedback, click here to apply.
This is it! Now the sky is your limit! We can’t wait to see what you’ll build! To get started, go to the Creator Dashboard to create your first app! Check out this overview to learn more about OAuth 2.0 and how to build an app.
Cheers,
The Roblox Creator Services Team
Update
09/20/2023
- When
profilescope is requested, the OpenID response now contains the user’s avatar thumbnail! You can use it to display in your app
09/12/2023
- OAuth2 now supports CORS for frontend only apps! You can send requests from any web page without needing a proxy or other tools
