RoCheck | Verifying a HTTP request is from a Roblox game

Logging onto Roblox uses an API key in a way for your account - your cookie string. All a cookie is is a string, and in the case of an authentication token, it’s just a string that lets the servers validate that the request is coming from a particular user.

1 Like

Don’t hire people you can’t trust.

1 Like

Or, use RoCheck and don’t have a single worry about needing multi-layer security and have it all done automatically. No API keys to worry about leaking, no worring about your key getting leaked and needing to use a datastore to change it. None of that. You see my point now?

1 Like

I think RoCheck is cool!!!

But if you’re using it for authentication, then it is expensive and slow and doesn’t actually give you any meaningful layer of security that an API key can’t - at least as far as I can tell. And, on top of that, it has the really painful drawback of not working for full servers.

1 Like

Lets say I have a product that I need to be able to secure my code (since roblox got rid of require() on private modules). They need to go get the code for that from my server. How can I be so certain they won’t just print out the response in studio or even a program like Postman?

1 Like

You seem very worried about leaked keys. It’s not nearly as much of a concern as you’re believing it to be. The entire internet is based on security keys that are just strings. They do not get leaked often, and when they do, they’re easy to change.

1 Like

You have them register on your website for their own private API key and then they have to provide that as a parameter to all functions. You don’t share an API key with multiple consumers.

1 Like

But at that point it’s not the key I’m worried about. It’s the code that the key can access.

You should always use API keys for your private endpoints. No discussion about that.

RoCheck gives you the ability to know if that request is really from a Roblox game. Don’t get me wrong, it’s pretty easy (once you have everything setup) to spoof a packet with a fake IP. That’s why it’s important you don’t rely on RoCheck solely for security! It’s simply another layer on your stack of security measures.

1 Like

Ah okay. What sort of reasons are there for needing to verify that it comes from a Roblox server specifically?

Well @TechSpectrum runs a clan service. He replied and said that this is very useful.

The general use cause is any api you want as much security as possible for. Also, you are incorrect about your points about api keys. In the real world, it is far more complex than a simple string. They are dynamic, they change with each request. I recommend looking into JWT keys.

I can see how that’d be useful…
Although @TechSpectrum you may want to consider giving your clients their own API key, too.

All-in-all - I really like this idea and great work @grilme99 :slight_smile: But to all considering using this, make sure this isn’t your only layer of security. API keys should be your first step. This is a really useful tool for specific use-cases, I imagine, but should not be trusted on its own.

1 Like

After some work, I was finally able to get it to work! I didn’t pool the cookies yet because I’m not sure how the functions work.

image

1 Like

Api keys are usually secure, and are today used almost everwhere for authentication and authorization. It’s not the api keys that are insecure, it’s the people who are using them who don’t have a set procedure of handling them, nor an access control system in place to restrict, and to know who accessed what key when.

1 Like

My clients have their own API key. Its also regenerated by a discord command if needed.

2 Likes

With the note on the OP stating that it has been changed to “Rodentify” does that mean you’re releasing the name “RoCheck” for use by others? (Sorry for necrobump, just need clarification to prevent issues)

I would still rather you do not use the name RoCheck.