Roblox API Authentication issues

I’m creating a python script to try and authenticate into my roblox account.

I already figured out that I’ll have to use the security cookie because I can’t get past the captcha.

This is the code I have as of now:

import requests

import json
payload = {‘user’:‘username’, ‘password’:‘password’}
url = ‘https://auth.roblox.com/v2/login
with requests.Session() as s:
cookie = {‘PHPSESSID’:‘SecurityCookie’
headers = {“User-Agent”:‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246’}
request = s.post(url,headers=headers,cookies=cookie)
print(request)

It is just returning error code 403.

I don’t understand what is wrong though. Why can’t I authenticate?

Anyone got any ideas?

Thanks!

2 Likes

Cookie name is wrong. It should be .ROBLOSECURITY (something like that) not PHPSESSID.

2 Likes

That is correct.

PHPSESSID is for PHP’s session data (different from cookie data) and is not for verifying login credentials. You shouldn’t really need to be setting that cookie, PHP will handle it on its own.

Question: Why do you need to login with auth.roblox.com/v2/login if you’re storing the .ROBLOSECURITY cookie anyways? That bypasses login completely, even with 2FA enabled.

If you’re not storing the cookie in your application, and are getting it from the login post request, then what you are doing is correct, just rename PHPSESSID to the .ROBLOSECURITY cookie name used for local login storage, and be sure to set the cookie to the .ROBLOSECURITY cookie that your login post request will have created.

Yes but that started a few minutes ago, this is irrelevant to his problem (posted over an hour ago).

1 Like

Thanks for the help! I am pretty new to using the requests library so this clears up a lot.

I got rid of the PHPASSEDID and added in a the .ROBLOSESECURITY.

But for some reason I’m still getting this error

Not quite sure what is wrong.

Here is the code I am currently using.

import requests
import json
payload = {‘user’:‘username’, ‘password’:‘password’}
url = ‘https://friends.roblox.com/v1/my/friends/count
with requests.Session() as s:
cookie = {‘My .ROBLOSESECURITY’’}
headers = {“User-Agent”:‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246’}
request = s.post(url,headers=headers,cookies=cookie,data = payload)
print(request)

1 Like

It should be .ROBLOSECURITY, not .ROBLOSESECURITY.

1 Like

Ooh, that was a typo. Ik that. That is just a placeholder so I don’t leak my roblosecurity cookie.

You can try using:

https://api.roblox.com/sign-out/v1

Here you can find better examples or even use the provided code.

1 Like

I actually ended up finding a solution a long time ago, based off of the robloxapi module, and figured out how to make it work. I just forgot to mark the solution.

I really appreciate the great resource though. Thanks!

3 Likes