Description:
The secret management system in Roblox’s Creator Dashboard does not properly accept API keys as secrets for in-game use. Even when secrets are created with valid values and domain settings (* or valid domains), server scripts using HttpService:GetSecret() return nil or errors saying the secret can’t be found.
This prevents legitimate use of Roblox Cloud API keys required to access user inventories and other critical functionality. The domain validation is either too restrictive or misleading, causing secrets to never be sent to game servers.
Steps to Reproduce:
- Create an API key in Creator Dashboard.
- Add it as a secret with domain set to
*. - Use
HttpService:GetSecret("SecretName")in a server script. - Observe that the secret is not accessible (nil returned).
- Attempt other domain values, still no success.
Expected Behavior:
Secrets should be accessible via HttpService:GetSecret() on Roblox game servers when domain is set to * or valid Roblox domains.
Actual Behavior:
Secrets are never accessible; domain validation blocks sending secrets; error messages mislead developers.
Impact:
Blocks usage of critical APIs that require API keys, forcing insecure or impractical workarounds and harming developer experience.
