Swagger docs are no longer available on most, but not all subdomains

This issue appears to have surfaced after the Roblox outage earlier today however given that https://status.roblox.com specifies that everything is ‘operational’, I’m assuming that the outage has passed and this is either something that was overlooked or something that the team is aware of and investigating separately of the outage.

Navigating to most swagger docs pages on the website (such as https://games.roblox.com/docs) results in a 404 page. This 404 page is different from the 404 page you get if you go to an endpoint that doesn’t exist, which implies some error or bug of some form. The endpoints on these subdomains appear to still work. However, the lack of documentation makes it difficult to use them in their intended way, if not already using them.

The documentation also appears to be 404’ing in its json format (https://games.roblox.com/docs/json/v1), which is possibly a cause for why the docs page is broken. It’s worth being aware that not all swagger docs pages are affected. For example, https://chatmoderation.roblox.com/docs is available, including its json formatted documentation, albeit that subdomain doesn’t really have any documented endpoints for developers to use.

Thank you so much for this report. Should be noted that this endpoint is also affected:

• https://users.roblox.com/docs/index.html

Thought they were removing the remaining doc sites for a second

To clarify, a large majority of the endpoints are affected; I only used the games API as an example.

I am using https://auth.roblox.com/ for CSRF tokens, and it’s returning a 404
This is affecting my services!

You can observe the same 404 on https://roblox.com/admin or https://gold.roblox.com. I assume that this 404 is presented by another software rather than Swagger. Just a miscellaneous observation I made

Thanks for the report, the team is aware of this and will update when we have a resolution.

FYI, independent of the docs outage, this is bad practice and likely would likely be impacted by the Account Session Protection flags if the request also passes the cookie.

x-csrf-token815×1080 33 KB

CSRF headers are visible on every endpoint that requires them, use retry logic and hold on to the CSRF token in the HTTP 403 response til the next failure.

Some day, I really should update noblox.js to do this properly, since I feel like our archaic carryover implementation of getGeneralToken has led to this widespread (bad) practice.

We used this route as we could not find a feasible fix during development for it’s use. If we do ever redo this system however, I will keep this in mind.

Add an additional / to access the docs, until they fix it.

e.g. https://assetdelivery.roblox.com//docs/index.html see the two //

All of the following URLs are affected, and upon adding a doubled slash “//” it seems to fix it

Can confirm adding a double forward slash is a workaround for now.
https://groups.roblox.com//docs/index.html works
https://groups.roblox.com/docs/index.html 404

The documentation has moved here: https://create.roblox.com/docs/cloud/legacy

The new pages list all API documentation that was previously available via direct docs URLs on the respective API sites, to the best of our knowledge. Please let us know if anything is missing that was available before.

You can find all these APIs in the left navigation. It also calls out on the overview page certain APIs that you can hit with legacy OAuth 2.0 / API key scopes instead of with a cookie.

Please rely on this new documentation page instead of the old documentation URLs since we cannot offer guarantees that the old URLs will stay available, including any variation (like the double slash workaround), for involved technical reasons.

While we do our best to alert you of breaking changes, please note that these legacy APIs may change without notice and break your application and do not have the stability guarantees of the newer Open Cloud APIs.

We especially discourage using the endpoints that only take cookie authentication as much as feasible for your use case, as cookies do not offer fine-grained authorization via scopes.

We are looking into improvements to the new documentation pages, like having a way to download the openAPI JSON for each surface, and we are investigating what it would take to support “try out”-esque features on this page.

You can let us know here or by filing a new bug report or feature request if you have any feedback, questions or concerns. We’ll do our best to take that into account for any changes we plan to the documentation.

Although the new pages look great, I sometimes use the v0 APIs as it includes info that you often have to get on lots of other APIs, are there any plans to remove them?

Can you let me know which API sites you are talking about?

Can I DM you? It’s prob easier aha

Confirmed in private messages that for maintenance reasons, we are not going to document the V0 endpoints on the Legacy APIs page and highly recommend not to use these endpoints going forward anymore. The swagger docs for the V0 endpoints have not been exposed for several years.

This is not always feasible for a couple of reasons right now. Is an eventual goal of Roblox to support all use cases for cookie authenticated endpoints via OpenCloud, or are some endpoints going to stay cookie-only (and presumably eventually get deprecated)?

The reason for the statement you quote is that we cannot officially encourage using endpoints with cookie authentication for new use cases, especially for the cases where there are also Open Cloud alternatives already which can be used today, which I hope you can appreciate. It’s not feasible for us to provide stability guarantees on these endpoints, and cookie authentication is not scoped properly in terms of permissions.

We fully understand that you all have certain tooling live right now that use these endpoints for valid reasons and it’s not our intent to break that, and we want to make sure that we properly support you with Open Cloud support. The current change only affects how/where we store swagger documentation for legacy APIs. Nothing else about our stance has changed.

will only the new role system get opencloud support, or are you eventually planning to add the legacy role system as well? (for groups)

This seems off-topic to swagger documentation. Could you start a new topic or private message me with more details?