Hi Developers, I am having some trouble with Roblox’s Login Api. So I make currently trying to figure how to use the Login Api to access the user settings for my bot account. Can someone help me how to send the .ROBLOSECURITY through post method and xcrf token? Currently I am using NodeJs
The thing you are doing is illegal, you can’t access the ROBLOSECURITY of an account with code, that violates Roblox privacity.
- This is not illegal.
- The api he is looking at is deprecated
- Use https://auth.roblox.com/v2/login
- You will need to pass a captcha
6 Likes
How would I send captcha token? Can’t I just do cookie login?
You don’t need to use that endpoint to log in. You can just send the .ROBLOSECURITY cookie with your request. However, if you need the xcsrf token, you can send a request to that endpoint with the .ROBLOSECURITY cookie and it will return it as the x-csrf-token header.
1 Like
You could look into how software like noblox.js does it.
I have experienced a lot of bugs and errors with noblox. So I am making my own
is it possible to share the api where it gives x-csrf-token
You send a POST request to the logout endpoint (with the .ROBLOSECURITY cookie present in the request headers). Without a CSRF token provided, it won’t actually do anything, but the response header will contain an X-CSRF-TOKEN field which you can use to validate other requests.
https://auth.roblox.com/v2/logout
Be sure to refresh this token by sending another POST request to the logout endpoint if you need to.
I mean, you all have it completely wrong, when you send account credentials it should respond with a json body that has a prop form, this is to initialize the captcha, then you register the first 4 sessions and send the correct keys, then you get your captcha key. This endpoint, when succeeded authenticates the user with a new session
Can you send a example code for login in with the .ROBLOSECURITY and X-CSRF-TOKEN?
Well, the basis of generating a CSRF token is along the lines of:
const response = await fetch("https://auth.roblox.com/v2/logout", {
method: "POST",
headers: {
cookie: process.env.ROBLOSECURITY,
}
})
const csrfToken = response.headers.get("X-CSRF-TOKEN")
Then to make a request to an endpoint which requires a CSRF token, you just need to include the value of the csrfToken variable as an X-CSRF-TOKEN header in the request config.
But it is there, albeit wrapped in their own HTTP wrapper (which appears to be using the request-promise library, looking at the request config), in the noblox.js library:
I suggest you ask the user to input their cookie into a variable. After when they start the bot, it will log them in, via either the noblox.setCookie() function or your own method, then after when you get the required information (token + cookie) you send a request to that endpoint and in the headers, you attach the token and cookie in the headers.
A coding example
let cookie = "cookie";
async function login() {
try {
await roblox.setCookie(cookie);
} catch (err) {
return err;
}
}
async function sendUser(rbxID, subject, body) {
let axios = require('axios').default;
let token = await roblox.getGeneralToken();
let senderID = await roblox.getSenderUserId();
let request = await axios({
url: "https://privatemessages.roblox.com/v1/messages/send",
method: "POST",
headers: {
"Content-Type": "application/json",
"X-CSRF-TOKEN": token,
"Cookie": `.ROBLOSECURITY=${cookie}`
},
data: {
userId: senderID,
subject: subject,
body: body,
recipientId: rbxID,
}
});
return request;
}
Hope this helps!