Roblox API's now REQUIRE Captcha?

I have recently noticed that there is an increase of 403 errors on most of Roblox’s API’s.

I was getting game information using games.roblox.com using the universe ID just to get flashed by a nice Captcha response “Challenge is required to authorize the request”

Other API’s like sending a friend request are also affected by this.

image958×106 52.2 KB

Its stupid to have a captcha when I’m simply GETTING GAME information. This doesn’t even affect Roblox at all in terms of BOTS. I understand stuff like web scraping but this is simply just me pressing on a game on the front page and getting prompted a captcha to even SEE it.

Please fix this issue and remove captchas from useless stuff that doesn’t even affect you.

Thank you Roblox.

Roblox is a creator based platform, so ofc they should limit what we can create by adding captchas.

I run a thing tracking servers for my extension project, which is heavily effected by this.

It was never an issue before and the api used to be documented too but now they decided that they dont like people using specific apis ig?.

I’ve seen badge checking requests from the client itself being blocked by this, so I think something has gone haywire. Maybe it’d be worth making a bug report about this issue?

I dont think it is a bug.

Roblox has a built in captcha system, with 3 different types of captchas for apis that detect you as a bot.

1. Where it just does a bunch of calulations for a while, can take up to 180 seconds to complete.

2. A funcaptcha with 5 captchas.

3. A full account lock for “bot activity” that forces you into doing a face scan to get the account back.

I have had to deal with these captchas for a week ish now, and that is all the different types of captchas I have encountered.

I simply do not believe Roblox made all of these things and accidentally rolled it out to more apis than they should have.

Edit: Did a bit more testing and requests sent by the site is also getting captchas but is solved automatically in the background.

currently not experiencing this across accounts, or when logged out, and when on a new IP.

if this is true, though, it would certainly be a fun project to sell an API that gets around it

I have no idea how to reproduce it myself but I know for sure the captchas are a cookie based and not IP based

Hey @iriskxyz

You should not use the classic Roblox endpoint. Instead, use the new Cloud API endpoint, which does not require CAPTCHA. There is no point in trying to bypass the system, in a near future all endpoints will follow this model, just adapt your code to what roblox gives at creators.

We are forgetting apis are used for other things than just games, which Roblox supports along side with cloud API.

Open cloud also doesn’t support every endpoint.

As a matter of fact a developer is allowed to use classic endpoints in their games through things like roproxy.

Heres Roblox officially stating they support classic apis Upcoming .ROBLOSECURITY Cookie Format Changes

I’ve seen badge apis returning challenge type “denied” when requested by the client, which is why I said that.

If it were an actual challenge it’d make sense, though.

Tbf that is likely a bug then. But the captchas on apis i have encountered were either automatically solved in the background, or had some kind of visual on screen indicator that they think you are a bot.

RoProxy? Okay.

Interesting. IP immediately resembles that of a Cloudflare server. Let me make sure.

image672×289 17.5 KB

There you go. Bad Cloudflare configuration probably sends everything thru their bot-fight system and whatever else they can throw at a GET or POST.
Make your own proxy with Cloudflare Workers. It’s free, fast and reliable.

This is not a roproxy issue…

This is a site wide issue, even api requests being sent by the site is getting captchas.

I am so sick of this captcha garbage. APIs should be using rate limits, not a captcha. But it could be so much worse. They could force you to scan your ID each time. And with the way things are going, that may soon become an unfortunate reality.
Edit:
Of course they already made it so much worse:

They are, they are forcing you to scan your id. If your account is detected as a bot, which happens after multiple API captchas and other detections I assume. But if that happens they will lock your account for being a bot and force you to do either a face scan or ID scan.

I personally had one account I used for my project get locked like this.

Hey folks, thanks for all the feedback, we’re looking into this regression and are aiming to fix it before end of week.

Hi folks, we just improved this. Can you all check again and see if you are still seeing any issues?

@iriskxyz @enderrpearl @JustForgery

Uh, some users of my userscript are still reporting errors when the script sends requests to the Roblox APIs. Most API endpoints are responding with { code: 0, message: “Challenge is required to authorize the request” }.

The requests aren’t even going through a proxy.

Can you file a new bug report with more specific information? Like specific routes, and whether you’re calling it from in-experience or from external tooling, and at what rate you are calling them?

I have a question specifically related to the gamejoin endpoint.

Is that endpoint in specific meant to have captchas?

If so why is that? as it is heavily used in my extension project since it is the only way to get server related information, like datacenter id which is used to figure out the location of a server.

Please file a feature request if you’re dealing with a specific problem, this bug report has run its course!