I recommend starting a thread in #help-and-feedback:scripting-support with more details and the community may be able to help you out!
Looks like that’s a bug, I’ll let the team know.
Thanks for the feedback on documentation structure, I will forward this and see what can be done to make it easier to digest.
App names are enforced to be unique to disincentivize impersonation between apps. For example, if you own a popular app, you don’t want a bad actor to try and impersonate that app by using the same name and picture and then use that as a way to trick users into giving permissions to that bad app instead of the real one that you made.
If you want to create a quick app for testing, you could name it like: “KaranBlox’s test app”.
This is cool. Are there plans to support groups.roblox.com, users.roblox.com, etc? A lot of those endpoints that require cookies often have those same cookies passed around and eventually, turn into stolen / hacked account. Shifting it to this would significantly improve that workflow / experience. Not to mention, would make maintaining a third-party library, much… much easier.
Suggestion: It’d be awesome if we could use the OAuth in game, completely eliminating the need for players to go to their web browser at all. This could serve as a way to verify user’s identitys to external databases, etc.
For users.roblox.com specifically, if you’re looking for user information, that should mostly be covered by POST /v1/userinfo with “openid profile” included as scopes. Is there anything else you’re missing from that API domain?
Noted for groups.roblox.com. It would help to specify your actual use cases for the Groups APIs (which you need, what will you achieve with them?) so that the product manager can determine the right priority (what we should work on first).
how would i work around the same origin policy without using a proxy? i’m having trouble working around it when trying to get an access token, and things like cors-anywhere doesn’t seem to be working for me
beyond that, when i do get it to work, i always seem to get the same error description- authorization code may not be used from this device. there’s not any documentation i can find on this
I’m assuming you are using client_id + PKCE flow (without client secret) based on receiving that error.
This flow is intended for front-end/desktop/mobile-only apps (without any backend). This implies you need to exchange the authorization code on the same device that created the authorization code.
You cannot create an authorization code with client_id + PKCE flow and then send it to some other machine (e.g. your backend server) and exchange it there. You’ll need to use the client_id + client_secret flow or client_id + client_secret + PKCE flow in that case.
Which endpoints are you seeing CORS issues on specifically?
(im not the same person that you were replying to)
I think that it’s fairly important to have access to the user’s avatar headshot link (e.g. https://tr.rbxcdn.com/d3fcb031fe6c5c11a330d8b238bb3bb5/150/150/AvatarHeadshot/Png) in the userinfo endpoint. From the users API the only thing i could see being somewhat useful is username history, so I don’t see much need to implement that api.
However, the groups API should be top priority right now, the old API was relied on a lot, but broke for some people due to the new ROBLOSECURITY measures. A new groups API should be able to do the following:
It would be great if it worked both with oauth2 and api keys.
the group API should of been added to open cloud before the ROBLOSECURITY update. I believe a lot of developers would be very happy with this new api.
Maybe also support for guild events, like member join, member leave, member role update, wall post sent, and wall post deleted could be sent to the webhook feature or a websocket, which would make it easier for group moderation bots to moderate group walls without constantly pinging roblox. (messaging service support too?)
Each endpoint has different use cases:
This is a planned feature.
Thanks for the other clarification.
Just out of interest how does ID verification stop bad actors? Does ID verification not just verify your age which is slightly pointless within the OAuth2. I was speaking with someone the other day about how Roblox is adding ID verification to basically everything now (all the useful stuff anyways 
) but we could not really work out how it stops people.
ahh, i figured that out- thanks for the heads up, though, will keep this in mind for next time! it’s my first time working with oauth2 so i had a bit of trouble figuring it out initially
i got a cors proxy working, but whilst i had an issue, practically all of them- none of the responses return any kind of cors header, and i’m unsure of how to work with it without using a proxy. i searched around the devforum for an answer, and it seems like this is an issue other people have had in the past working with other APIs too, with varying solutions
when it comes to working with browser based apps and CORS, is there an official solution to this? i’d like to avoid using a proxy if so
I am one of the maintainers for noblox.js, and many individuals rely on endpoints like shouting, changing ranks, and (formerly) group wall posting. There are third-party services on Roblox that manage this stuff for you by placing their own bot account in your group and funnel the requests through some API wrapper. I think it’s a lot safer and less of a security risk to have all this done through OAuth methods rather than adding some random bot account to your group or asking individuals to share their cookie.
You shouldn’t need CORS proxies or disabling plugins for these OAuth2.0-based endpoints to work. Let me follow up with the team. Thanks for letting me know.
When you use ID verification, Roblox stores an anonymous identifier corresponding to those ID verification details, the latter is then destroyed (so we don’t store the original ID data).
Not only is ID verification itself a high friction action which naturally makes it easier to maintain safety, but this anonymous identifier can be used to track abusers across accounts. This is a high disincentive to abuse because when you break the rules, you don’t just risk your current account but any further use of Roblox in general.
See also my comment earlier on the thread regarding using a looser access requirement than ID verification:
Ah thanks for the clarification that makes much more sense now.
how work the oauth app how can you create with it and is it like as roblox studio
To create a OAuth2 app you go to https://create.roblox.com and then go to the “Credentials” section on the side bar (on the left). When on the credentials page you then just to where it says “OAUTH 2.0 APPS” and create a new app there.
OAuth2 does not at all relate to Roblox studio really. It allows third party apps to be able to do things or get information on behalf of a user who authenticates (for example allows you to publish messages and get info about a user).
(When a user logs into studio it does use OAuth2)
But what “bad” can I do if I just upload a OAuth2 App that access a player’s UserId/ Username? I can’t think of anything.
If you want other permission (like Adding Models), then you should have to ID Verify yourself, but not if you just access a player’s UserId.