Using Roblox API in-game

Here is a module that lets you trigger Roblox endpoints from in-game. Use to find all the endpoints, though most of them are not already setup in the module.

RobloxAPI.rbxmx (9.6 KB)

To use it

local RobloxAPI = require(game.ServerStorage.RobloxAPI)()

--This "logs you in" and authorizes the requests

--How to call an endpoint
RobloxAPI.Friends.FollowUser({UserID = 1}) --Will make whatever account is associated with the RobloSecurity follow the Roblox account

RobloxAPI.Friends.UnfollowUser({UserID = 1}) --Unfollows the Roblox account

This module uses as a proxy, Roblox doesn’t allow sending any HTTP request to from in-game. If you want to use your own proxy, change the domain on line 4 in the RobloxAPI module

How to get RobloSecurity

  1. Open Google Chrome
  2. Go to any page on
  3. Press Ctrl + Shift + i to open Inspect Element
  4. Select application


  1. Copy the .ROBLOSECURITY code, without the warning message at the beginning. In the below pic, you’d copy everything after “0ECB1”…

  1. On the second line in the above example, where it says RobloxAPI.SetRobloSecurity("PasteRobloSecurityHere"), go and paste the code there

How to add an endpoint
Create a new ModuleScript, and use the code below as a reference

local Endpoint = {
	Method = "GET",
	Subdomain = "subdomain",
	Path = "v1/{Option1}",
	Body = {
		Key = "{Option2}",	
	Options = {
		["Option1"] = {Type = "string", Required = true},
		["Option2"] = {Type = "string, number"},

return Endpoint

Endpoint.Method = The HTTP method to use, HTTP methods
Endpoint.Subdomain = The subdomain to use. Eg api, groups, catalog
Endpoint.Path = The path to use. Most subdomains and paths are on
Endpoint.Body = A table that gets converted to json and sent with the http request body.

Endpoint.Options = The input the developer gives to the API. Mostly for basic validation of the request before it gets sent, but is also a useful reference for when you are using the API

Anything in the endpoint path or body can be replaced with values from the request options. Example:

--Endpoint for joining a group
local Endpoint = {
    Path = "v1/groups/{GroupID}/join-requests/users/{UserID}",
    Body = {
        key = "{GroupID}"

--Some other script
RobloxAPI.Groups.JoinGroup({GroupID = 1, UserID = 2})

In that example, {GroupID} in the path will be replaced with 1 and {UserID} with 2

Not a lot of endpoints are supported currently, but if anyone wants to set some up I can add them to the downloadable file above.


Probably wouldn’t recommend putting your cookie into a script in-game, regardless of whether this is on the server. You’d be better off creating your own proxy server for this.


It’s fine to put it in ServerScriptService or ServerStorage. Also not everyone has the technical knowledge or money to set up and maintain their own servers.

This is a quick and easy way to promote players in groups from in-game, send players private messages (eg sending discount codes if they buy something in-game), and to interact with the catalog API

You could also make a separate ‘bot’ account to use with the API, so if someone does end up getting the cookie, they wont be able to touch your revenue

Isn’t this abuse of the website endpoints, if you’re going to be logging in and automating an account??

You definitely want to be running your own proxy if you are going to be running sensitive data/cookies through it!! Please add a clear warning against this in your post. You should assume the proxy can at any time decide to start logging anything about your request data without you being able to find out.