Roblox API Code 403 (Token Validation Failed) when using the group join request user API with Python

Hello there. As you can probably guess from the title, this is an API problem that I am having. I am using Python and after trying to use the group join request user API, I have been getting the 403 (code 0) “Token Validation Failed” error. If it helps to know, I am using a cookie to perform this action. The cookie is valid since I’ve used it with other APIs, but I am getting this error on this one only. I am not too sure how to fix this since the API docs don’t give much information about it. The code I am using is:

    RequestURL = "https://groups.roblox.com/v1/groups/" + str(GroupId) + "/join-requests/users/" + str(UserId)
    Response = requests.request(
        "POST",
        RequestURL,
        cookies=Cookies
    )

If you are wondering, yes, the group ID is valid, yes, the account has permission to change ranks, and yes, the cookie is valid too.

I do not know if this is caused because the account has 2FA on, but I’ve tested it with another account which does not and it still gives me the same error. I am really confused on what I’m supposed to do here to fix it, nor could I find another post (one was unanswered and the other was about another API and it was a whole different process from what I could see). If you could help me, that would be amazing. Thank you for your time and help.

6 Likes

Hello, I’m not sure if you’re actually able to use Roblox apis like that due to you’re not logged in, don’t have any permission in your group etc

Hello there. Thank you for the reply. I am not actually using studio. As stated in the topic’s description, I am using Python.

Thank you for the help though. I appreciate it.

Sorry readed fast didnt seen python but I think you’ll need like be logged in to see pending request due to group permissions etc. (Might been wrong too I’m kinda bad with like using python, api etc)

I can view the requests (I am actually implementing that), I cannot accept them though. Since it is an API and I provide a cookie, I do not think that I need to log in. There is an API that is entirely made for logging in (https://auth.roblox.com/docs#!/Authentication/post_v2_login), but I am not too sure if I need to use it, and I want to avoid using it unless necessary. The account does have the appropriate permissions, so that isn’t the problem, the “Token Validation Failed” error is and I am not too sure how to fix it.

Can’t help you anymore sorry ;( I’m kinda bad that start with like api token, cookies etc, good luck!

1 Like

I’m not a pro in the jungle of obscure Roblox web APIs, but this link may help. Look through it and you will see it has an example of logging in and getting the token and all that.

1 Like

Yes, a login is needed to perform such actions. How the login happens is still a bit unknown to me, but I am sure I’ll find a way to replicate it. Thank you a lot for the help.

1 Like

It doesn’t seem to be the case. I have browsed all over the internet to find a solution, and I am still trying. From what I saw in multiple topics, if you have a cookie, then logging in isn’t needed, so I am very very confused on how I am supposed to solve this. Any extra help would be appreciated.

Figured it out. Logging in isn’t required (as long as you have a cookie), I just need to provide the X-CSRF-TOKEN as well in order for it to work. So for any future people, you need to provide the X-CSRF-TOKEN in the header, which you can easily fetch by making a request first and then grabbing the x-csrf-token (this one is lowercase) from the request header. Once you fetch it, make the same request, but in your header, set the X-CSRF-TOKEN (this one is uppercase) to the previously fetched token and it should work. Hope this helped future people who visited this for a solution.

So a sample script would be:

async def ExileUserFromId(UserId: int, Retry = True, Token=XCSRFTOKEN): # Token is by default None, if saved externally, it will save you from all the pain of having to run the script twice.
    RequestURL = "https://groups.roblox.com/v1/groups/3403707/users/" + str(UserId)
    Response = requests.request(
        "DELETE",
        RequestURL,
        cookies=Cookies, # The cookies (including the .ROBLOSECURITY cookie)
        headers={
            "Content-Type": "application/json",
            "X-CSRF-TOKEN": Token
        }
    )
    if Response.status_code == 403: # If the response is 403...
        try:
            JSON = json.loads(Response.text)
            ResponseCode = JSON["errors"][0]["code"]
            if ResponseCode == 0: # And Roblox response is 0...
                if Retry == True: # If retry is enabled...
                    return await ExileUserFromId(UserId, False, Response.headers["x-csrf-token"]) # Re-do the request, but this time, with the `x-csrf-token` supplied as well.
        except:
            return Response
    return Response, Token
7 Likes