What’s up everybody,
is it safe to use a variable in ServerStorage for API Key, so that it can’t get cheated on and can’t get reversed engineered ?
Sometimes I read stuff that people reversed engineered game code and found informations in it.
Is it also possible, that every request that comes from the game to the rest API, has the same IP Adress from Roblox? So I can whitelist this IP and block all other IP Adresses, or is every request a different IP Adress?
1 Like
I’d recommend using a secret for the API key and retrieving it with HttpService:GetSecret().
You’d have no way to retrieve the game server’s IP address, even if it was the same. But, it’s very unlikely due to false positives when checking for DoS/DDoS attacks on the service’s end.
Bare in mind you would need to use a proxy service to access Roblox API from the game servers, if this is what it is for, which would redirect via the proxy’s IP address. Unless that IP address remains constant, which is unlikely if the proxy is widely used due to firewall protection from DoS/DDoS attacks, there is no way.
1 Like
If you’re storing this API key within ServerStorage or within a server-script, you actually have nothing to worry about! 
I think the term is decompiling and no, you can’t decompile server-scripts!!!
People can only read your server code when you’ve given them access to edit your place.
In this case, instances under ServerStorage is never streamed into the client, you should be safe.
Roblox has various servers at various countries, this task may prove to be difficult considering the case where Roblox may decide to open-up new servers and your external server failing to take that into account.
Of course, you may easily get the US IP addresses since Hurricane Electric shows these to the public.
You could find the Secret Datatype useful if you want to restrict people you’ve given edit access to your place from stealing your API keys.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.