Userblock requests not working?

NOTE: I apologize if this is in the wrong category, but I’m frustrated and can’t find answers anywhere.

So recently, my followers were botted, and around 1100 users were added within the span of seconds. I’m trying to write a bot that deletes all of these users, but whenever I send a POST request to the API, it doesn’t block the user, and returns {} as a response and a status code of 403. The API docs for it both a) provide the wrong url, and b) say you only need to provide one argument userId, which I don’t think is even correct.

To add to this, I know absolutely nothing about HTTP requests in general, so if someone could just provide a basic rundown of ‘for the data you need to provide this, for the header you need to provide this’, I’ll take care of the rest. Thank you.

tl;dr confused with the userblock API, please help

Have you provided an up-to-date CSRF token?

If you haven’t then you’ll need to check if the response has the X-CSRF-Token header then resend the request with the token.

I had already found the CSRF token but I’m not sure where to put it. My request looks like this (python):

post(url=blockurl, data={"blockeeId": "1271478824"}, headers={"X-CSRF-TOKEN": "private"})

Does the CSRF token go in the header?

Yes it goes in the headers.

Do you have the authentication cookie in the request as well? That is another possible cause of 403.

1 Like

Which one is that? .ROBLOSECURITY?

Yes. Make sure it is still valid and working.
Could you provide more of the code? I’m not too familiar with python.

This isn’t something you should police. While blocking a user will indeed terminate the follower status between you both, it’s unfeasible to do this with over 1000 users, especially since you can only have 50 users blocked at a single moment. You’d be repeating the process of blocking a user, unlocking your pin, and then unblocking that user over and over (also being rate-limited as a result). In-fact, it’s possible you could get in trouble for API abuse.

Leave it to Roblox. If you have a look now you’ll see a lot of the accounts have already been terminated.


If ROBLOX is so effective at stopping bots, why are they still an issue? Why do I have to have 60 pages of blank followers just because ROBLOX doesn’t want to remove the following connection between users they know have been used just to attack someone?

If you saw a developer with 75% followers being bots, you’d think they were doing something fishy, no?

Also, no, they haven’t all been terminated, there are still some left around page 40.

Thank you very much, I’ve determined that this was indeed the issue.

Botting is an on-going battle for literally any platform out there. Roblox has had engineering positions solely dedicated to bots and they are working away at trying to diminish the harm bots can do. You aren’t giving them enough credit. They are trying: doesn’t mean they can resolve it fully.

The post that byc replied with said that a lot of the bots were terminated, not all. Staff are obviously going to miss some bots or have them pile up in their moderation queue.


I guess my point was that ROBLOX should, specifically in the case of follow bots, remove all of their following connections, so it doesn’t inflate the following count of users who want nothing more than to just have a legitimate-looking, large following.

You’re free to write a feature request if you think you really want this feature. Just be ready to back it with a strong story, use case (why you think it is worth adding) and to talk a out the problem rather than a proposed solution.