Why is this GREAT service restricted for admin usage only?? It would be great to use this. Think, you could make a system where you can detect if an user bought something.
I mean yeah, it could be abused but you could restrict it enough for it to be usefull but not trash.
Because it has access to roblox api endpoints that normal users/developers shouldn’t access
“it could be abused but you could restrict it”
But then that ruins the point of the service; the regular HttpService is designed to be used by developers and users
It would be better to request access to specific points using HttpService than lowering the security level of HttpRbxApiService
Roblox doesn’t want you DDOSing their servers with their own servers. Thats the reason they give.
At the time I can agree, but its a little questionable now given that modern Roblox code likes to spam their web servers.
(Also you should be using HTTPService:RequestInternal, not HTTPRBXApiService)
The functions of HttpRbxApiService, such as RequestAsync, are meant to be used by CoreScripts and perform HTTP requests in the client while including the account authorization cookie in the request. If this function was available to the public, it would lead to absolute chaos.
Actually, at some point in time, HttpRbxApiService was available to the public and had a separate function for the normal users/developers to call, RequestLimitedAsync. As of now, it is currently disabled (most likely can be enabled in the client by just toggling an FFlag like how most disabled functions can be toggled this way) and Roblox seems to have no plans in the near future to re-enable it.
Can’t you achieve the same by using HttpService and sending requests to roproxy.com?
If it got to a point where it was crippling their servers, they’d just block roproxy, they cant really do that with HttpRbxApiService because its their own method.
Interestingly, I was playing around with this when you could still create custom BuiltIns and found it only sent the auth cookie if it was a roblox.com domain, seems strange to code this in when developers cant even use it.