Sorts Web Api Question

Im trying to get a sort token from the sorts web api and when I pass through the variables it expects, it returns me a table with tokens, I take one of the tokens and then try to use it in the list api it returns Incorrect token.

I’ve tried even passing through my ROBLOSECURITY cookie incase it needed that, which also didn’t work.

I’m stumped, and can’t find anything about it

Hello!

You need to get the XCSRF Token to use the API. If you tell me what language your programming in I can help you out.

I’m using lua in roblox studio, I’m using a proxy so I can write most of the api code in lua.

Hoping that you are using your own proxy to request the API and sending your .ROBLOSECURITY isn’t a good idea.

Anyways you will need to send a PostRequest to “https://auth.roblox.com/v2/login” and within the responses headers the token is stored under “x-csrf-token” (It will be a jumble of letters and numbers)

Once you receive the token add that into your headers for your request the the Games API.

Yes I’m using my own proxy and I’m about to implement what you just said, I seriously thank you for this many sleepless nights trying to do this.

Yeah personally this took me hours to find as like you said there is no information anywhere.
Good luck and if you have any more issues make sure to reply.

Question with the auth api.

With the Json it requires, where would i get the values it requires from.

{
  "ctype": "Email",
  "cvalue": "string",
  "password": "string",
  "captchaId": "string",
  "captchaToken": "string",
  "captchaProvider": "string"
}

Don’t worry about that just send a post request to the URL with the .ROBLOSECURITY cookie in your headers.

Also personally I’ve never worked with using the API within Roblox but I have with JavaScript so if you understand JS you can probably apply this to Roblox

function XCRSF() {
    HttpRequest = fetch("https://auth.roblox.com/v2/login", {
        "headers": {
            "cookie": Cookie
        },
        method: "POST"
    }).then(Response => {
        Token = Response.headers.get("x-csrf-token")
    })
}

Ok, thank you so much for your time!

Oh and something that is really inconclusive I’ve found is that does the roblosecurity cookie need the _|Warning| _ at the start, found multiple posts all with different responses

Because when I do add that in I get
image

However when I remove it it says there was an error.

image
(From the auth api)

And would this be the correct way to pass through the xcsrf token to the sorts api
image

For my module , I didn’t add the _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_ ,I just added the token after this point and worked fine for me.

Do you know what i should do with the xcsrf token?

I passed it as headers ,

self.headers = {
                'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36',
                'Accept': 'application/json, text/plain, */*',
                'Accept-Language': 'en-US,en;q=0.5',
                'Content-Type': 'application/json;charset=utf-8',
                'Origin': 'https://www.roblox.com',
                'X-CSRF-TOKEN': csrf ,
                'DNT': '1'
            }

This is what i did , where csrf is the x-csrf-token you got. This headers was used for future requests

This is what I’ve got currently
However I’ve tried changing things around, and I still get an error from the auth api,
I’m basically back to where is started.

I’ve also changed my cookie, hoping that would help, Spoiler it didn’t.

image

local xcsrfToken = proxy:Request(auth,"/v2/login","POST",{["cookie"] = ".ROBLOSECURITY="..cookie})
print(xcsrfToken)
xcsrfToken = xcsrfToken["Headers"]["x-csrf-token"]

local b = proxy:Request(sorts,"/v1/games/sorts?model.gameSortsContext=GamesPageAbTestSorts1","GET",{["X-CSRF-TOKEN"] = xcsrfToken})
print(b)

Sorry for the late reply. Some things you should take note of are:

  • XCSRF Token resets every 30 minutes.
  • Are you passing the .ROBLOSECURITY with the games api request?
  • Is your content type “application/json”?
  • Print your token, is it actually correct and is it a string?
  • Try the games api request as “POST”
1 Like

How would i change the specified content type?

This is post async so I don’t know if it applies to get.

I tried passing the cookie with the games api request didn’t change anything, main issue here is getting the xcsrf token when I pass through my cookie it just says that its invalid.