Unlocked InsertService DIY Web Server

Notice! (October 9, 2020)

This project will no longer work with large-scale games.

While testing a program I wrote for bulk-purchasing catalog items, I noticed that the Roblox web API is rate-limiting purchases to a very small rate. I didn’t measure it precisely, but my bulk purchase attempts usually failed around 20 to 30 items.

For new models requested by players for the first time, this means that you will have to either rate-limit them on a per-game-creator basis, modify this project to function as a long-running queue (where players wait however long before their new models can be used), or use a server solution that serializes-deserializes those model files, such as Robuyasu’s Insert Cloud Module.

This is really disappointing, but it was fun while it lasted.

There is a restriction with InsertService where you can only load models that you own or Roblox created, and not other free models in the library.

This project aims to ease that restriction by providing web server software games can communicate with to enable these models to be loaded, at least, for those who don’t mind figuring out how to make their own servers.

It comes in two main parts: The web server, and the game script. These work together to load models that normally would be blocked.


Currently, this project only supports games living on individual accounts. Group games are not yet supported because they require a very different approach.

To use this in a live game, you need to know of a way of running a publicly-reachable web server dedicated for your Roblox games. How you can set up the server part depends on what internet resources you have available. The main limitation is the server will only run on Microsoft Windows.

How to setup on a Windows computer for Roblox Studio.

This guide is intended to give you an understanding of how to use the software. This will not work in an online environment unless you take additional steps to secure the server and expose it to the internet.

1. Install IIS on your computer.

Start typing Turn Windows features on or off into Windows Search and then press enter once it’s highlighted.

Then check 3 check boxes: Internet Information Services, and the two ASP .NET features buried deep under it.


Click OK, then proceed through the installation process.

2. Set up the server.

Grab a copy of the web server project, and then extract the folder into your desktop. Rename it to “UnlockedInsertService”.

Then you need to get your Roblox login cookie, this is so the server can pretend to be you taking models from the website.

Get your cookie from the web browser however it lets you. In the case of Firefox, you can press Ctrl+Shift+K to open the developer tools and then click on Storage.

Copy the text that has the really scary warning. We’re only sharing it with a home computer.

Edit the Web.config file with your favorite text editor. You will find these lines:

<add key="ApiKey" value="ThisIsSuperSecretLol"/>
<add key="RbxAuthToken" value="Put your ROBLOSECURITY cookie here."/>

Erase Put your ROBLOSECURITY cookie here and paste your cookie there.

Replace ThisIsSuperSecretLol with something weird and random. It’s like a password, except for games to use your server. Write this new API key somewhere, because you will need it later.

Save the file, then move the folder to C:\inetpub

Open IIS from Windows Search.

On the left, right-click on the default website and stop it. We’re not using it.


Next, right-click Sites and then click Add Website…


Fill out the boxes with a name, the site’s folder path, and a port number of your choosing. This is what I did:

Now close IIS.

Check that the server works by going to something like http://localhost:1234/ in your web browser, where 1234 is your chosen port number.

If you see this screen, your server is working and it can log in to Roblox.

3. Set up a game to use Unlocked InsertService.

On one of your Roblox games, insert the game script into ServerScriptService.


Then enable HttpService from the game settings. This script needs it.

Then examine these lines in the script:

ServerAddress = ""
ApiKey = "ThisIsSuperSecretLol"
PrintActivity = true

Change the text of ServerAddress to an address pointing to your web server. In my case, it was http://localhost:50003/.

Next change the ApiKey to match what you wrote into the server’s configuration file earlier.

PrintActivity should remain true, since this will help with debugging.

To make sure it works, Play Solo, then switch to the server side. Paste this command into the command bar:

game.ServerScriptService.UnlockedInsertService.LoadAsset:Invoke(182529039).Parent = workspace

You should see the following output. If you do, then great, your server’s working! Have fun experimenting!

[UnlockedInsertService] Whitelisting 182529039
[UnlockedInsertService] Whitelisted 182529039

Additional things to do to use this in an online environment.

To make this work in an online game, you need to set up a web server that’s exposed to the internet. This is so the Roblox game server can contact it.

You can use a cloud-service provider that can run ASP.NET-based software, such as Microsoft Azure. Though make sure you can trust the service-provider with your Roblox cookie.

If your internet connection allows for it, you can also use a physical computer to act as a web server. Though you will need to do some port-forwarding magic and then leave the computer turned on 24/7 so it can service your game. You will also need to create a Windows Firewall rule to allow your chosen port to be used.

You should set up an HTTPS connection to protect your API secret key from being leaked. To do this, you need to buy a domain name (like roblox.com) and then install a certificate (proof of identity) for it. Have this domain point to your server’s public IP address and change the game script to use that domain name instead of whatever you put there before. Make sure you new string starts with https://, with the S.

If you need more details, try looking up search terms such as “How to set up an ASP.NET server in IIS”, “How to run a home web server”, “ASP.NET app in Azure App Engine”, etc.


Is this against ROBLOX TOS? They have these restirctions in place for a reason

I looked and it didn’t say anything about automated access to the website, so I believe it’s not against the TOS.

I don’t think the restriction makes much sense when compared with require() and other potentially-dangerous services.

require can load anything. There’s no setting to restrict it and there’s no way to sandbox a ModuleScript before it has a chance to execute unwanted code. It might as well be a more potent version of loadstring, and yet it is the only easy way of making some toolbox assets work, such as auto-updating Admin scripts.

If a script could freely use InsertService, it would have a chance to purge scripts and other unwanted objects from a model without letting them run.

Other potentially dangerous systems have settings that restrict them by default, but they can be enabled if the developer is confident they know what they’re getting into. For example, loadstring and HttpService.

While I agree that you cant prevent the dangerous aspect of it, my conern is that this will be used to get assets that other developers created without their persmission, and without them wanting to share it. With module scripts, the developer had to follow explicit instructions in order to allow their code to be used in other players games.

1 Like

You can’t use InsertService for assets that aren’t free to take, that defeats the purpose of private assets. By default published assets are private and having it public is an option decided by the developers themselves.


I misunderstood this topic. I thought he was trying to insert assets that werent free.