Recent and Upcoming Changes to Roblox Web APIs

This topic was automatically opened after 10 minutes.

In most cases we automatically redirect from http → https, but we want to encourage you not to rely on that behavior, since it can leave you susceptible to manipulator-in-the-middle attacks.

13 Likes

Thank you for the update!

I do have a question regarding concern within IP changes forcing cookie invalidation.

This change affects developers who use a VPS to host their services; with the requirements updated to ensure cookies are used on most endpoints, this is frustrating for developers. :confused:

11 Likes

Question is; How does it handle servers that do not necessarily have SSL certificates in them? Some of them just don’t allow you to connect to them without one. (HTTPS by default direct to port 443 of the servers, while HTTP direct to 80)

4 Likes

This has been frustrating for me as someone who does automated testing with run-in-roblox with GitHub Actions. It’s still slow and unreliable even with a static IP workaround.

Ideally there would be an Open Cloud API which would let me run a script with access to the data model of an individual place and return the output to me. It would not save any changes to the place by default, but that might be a useful option to have.

I can’t submit a Feature Request because I don’t have permissions to post them.

8 Likes

As I posted previously,

can we get CORS accessibility for API endpoints, at least only for OpenCloud endpoints? It’s impossible to create websites that access Roblox APIs from the web without hosting your own infra or trustiong some CORS proxy provider that they’re not gonna harvest API keys.

7 Likes

First of all, great changes. I think these will make the platform a better place and all around more secure. However, there are a few issues that stand in the way of these changes.


Standard Errors

I belive changing errors to a standard format is something that has been needed for years. There is just SO many different error formats. (As someone who’s made Roblox API wrappers, this was something that ALWAYS annoyed me).

However, I do have a question: would it be possible to make all of the possible formats and error codes available on the docs page? If there’s going to be two possible formats that I have to check for with errors, I want to have a list of possible responses and error codes so I can make sure that I can cover everything.

For example, a not authorized response would include the old and new error response that our programs would have to be able to handle.

Even just a way to force the new/old errors. Being able to force opt-in would be really nice as well. Otherwise, there’s not really an easy way of handling this change, other than just spitting out a generic error is something goes wrong, which makes error handling impossible.


IP Locked Cookies

The new IP-locked cookies should be great for account security, and something that has been requested for years.

However, this does bring about a problem: running workflows that require cookies on a VPS or runner (like GitHub actions) will no longer work. An ideal solution for the time being is to allow us to create API keys which can function as cookies. Until all apis are supported by the Open Cloud API, we HAVE to use cookies, and so this change will prevent a lot of automated workflows and testing. Please consider this.


Conclusion

While these changes are great, I’m noticing a theme of neglecting to provide us with appropriate alternatives before removing features. Please add alternatives before you remove features.

I don’t want to be pessimistic - I just want to be able to use the API.

4 Likes

This has been brought up multiple times, but the apis at presence.roblox.com (Presence Api) still seem to be very inaccurate.

5 Likes

We will follow up on this issue.

6 Likes

Where do we submit the feature requests for the Open Cloud?

hi @LifeDigger - please submit a new Feature Request post on the dev forum under Website Features, e.g. Upload Images via Open Cloud API, and it’ll be brought to our attention!

1 Like

it’s not often you see DevForum updates for the web API. thanks for this!

Is there any rhyme or reason to the 9XXX status codes? Should we look at those codes or the status code when determining the cause of an error?

Not everyone has access to the features requests category so it is impossible for most of us to submit them. A survey would be a good alternative

1 Like

There are numerous cases where the HTTP Status Code does not provide enough information to know the cause of an error. For example, a 403 could be returned because of a missing XSRF token, or a lack of permissions on an endpoint.

The numeric error codes are intended to uniquely identify these common base-level errors so they are easier to handle.

1 Like

Will we receive a index of the error codes at some point? As in 9001 = Error 1, 9002 = Error 2, etc. Also, will they be sychronized across all APIs, or be specific to each API? Will they overlap (123 means Error 1 in the users API, while 123 means something else on the games API)?

The issue like what @NinjaFurfante07 has stated most people can’t post in this category as I believe it is for regulars only which at the current moment is impossible to get and kinda a pain ngl.

1 Like

SSL Certificates are NOT required to SEND A HTTPS REQUEST.

You need one if you want a Client to be able to properly send YOUR Server a HTTPS Request.

So, the only change required is changing your endpoints’ prefixes from “http://” to “https://”.

This topic is about the *.roblox.com web API, and not HTTPService. HTTPService will continue supporting HTTP requests.

2 Likes

This is correct.

We are requiring HTTPS for *.roblox.com endpoints, not for third-party domains that developers are using with HttpService.

You misunderstand - what this announcement is saying is that your ExpressJS app should use https:// when sending requests to Roblox’s domain. This announcement is not saying that HttpService will now require all sites to use SSL.