Open Cloud authenticates and authorizes API access with the use of API keys, which allow you to add granular permissions and security control for accessing and utilizing certain resources in your game, such as data stores and places.
All Open Cloud APIs require you to create an API key with valid permissions and include an x-api-key header in your request, which allows the application to authenticate to Open Cloud on your behalf.
Create API keys
You can create and configure API keys to access your resources. An API key's access is determined by the permissions of the user who owns it. This means it can generally access any resource the user has permissions for, including their individual games and any group-owned games where they have the appropriate role. Some scopes can be restricted to specific games, but not all.
For details on how to create API keys for managing group resources, see the Create API keys for managing group-owned resources section below.
To create an API key:
In the Creator Dashboard, go to the API Keys page.
Click the Create API Key button.
Enter a unique name for your API key. Use a name that can help you recall the purpose later, such as PLACE_PUBLISHING_KEY for publishing places to your game.
In the Access Permissions section, select an API from the Select API System menu. Repeat this step if you need to add multiple APIs to the key.
If applicable, select the game that you want to access with the API key.
You can optionally disable Restrict by Experience. When disabled, your API key has access to all of your user-owned games and any group-owned games where you have the appropriate permissions, including any games you create in the future.
From the Select Operations dropdown, select the operations that you want to enable for the API key.
Most operations in the API reference include the required permission scopes. For example, the flush memory store operation requires the universe.memory-store:flush permission.
For a list of all scopes and the APIs they support, see Scopes.
(Optional) In the Security section, explicitly restrict IP access to the key using CIDR notation. You can find the IP address of your local machine and add it to the Accepted IP Addresses section along with additional IP addresses for those that need access. If you don't have a fixed IP, or you are using the API key only in a local environment, you can leave the Restrict IP addresses toggle unchecked to allow any IP to use your API key.
(Optional): To add additional protection for your resources, set an expiration date for your key.
Click the Save & Generate key button.
Copy and save the API key string to a secure location, not a public repository for your code.
Verify the status of your API key on the API Extensions page of Creator Dashboard.
Create API keys for managing group-owned resources
An API key grants access to all resources the user account has permissions for, including personal games outside of the group. If you use your personal account's API key for group automation and that key is compromised, other resources you have access to are also at risk.
To prevent this, we strongly recommend creating a separate API key on a dedicated alternate account with access strictly limited to the target group. This new account dedicated for automation purposes should only be given access to the target group and granted the minimal permissions required for its task.
- Create a new, dedicated Roblox account for your automation.
- Invite the new account to your group.
- Assign it a group role with the minimum permissions required for its task (e.g., only "Create and edit group experiences").
- Log in to the new account and follow the steps in the section above to create an API key.
- Use the generated API key for group resource automation.
Best Practices For Managing API Keys
API keys are sensitive credentials that should be kept secure to prevent unauthorized access to your data. Here are some best practices for managing API keys.
Create separate keys for each application: Create separate API keys for each application or use case to isolate access and reduce the impact if a key is compromised.
Select the minimum permissions needed: When configuring scopes, select the minimum permissions necessary for the key's intended use. For those scopes that allow you to restrict scope access by game, limit access to only the specific games that are needed.
Use IP address restrictions: Restrict API key access to specific IP addresses or CIDR ranges to prevent unauthorized usage from unknown locations. Do not use IP address restrictions when using your API key in Roblox places to ensure your key can be used with Roblox servers.
Set expiration dates: For short-term use cases, configure expiration dates to automatically disable keys after a set period, reducing the risk if a key is compromised. Setting expiration dates is not recommended for longer-term use cases unless you have a key rotation process in place, as your automation can unexpectedly fail when the key expires.
Use dedicated alternate accounts for group resource management: Use a dedicated account with minimal permissions for group resource management, as detailed in the Create API keys for managing group-owned resources section.
Store API keys securely: Never store API keys directly in your source code, version control systems, or scripts where they could be exposed. Use a secrets management system for storing and controlling access to your keys. In Roblox places, use a Secrets Store.
Do not share API keys through public channels: Never share API keys through public communication channels, forums, or social media. Only share keys through secure, private channels with trusted team members. Limit access to who you share your keys with to minimize the blast radius if a key is compromised.
CIDR format
To further protect your resources, when creating an API key, specify IP addresses that can access the API key with either normal IP addresses or using the CIDR notation. A CIDR IP address looks like a normal IP address except it ends with a slash and a decimal that represents how many bits of the IP address are significant for network routing:
- Normal: 192.168.0.0
- CIDR: 192.168.0.0/24
The former part is the IP address and the latter part is the netmask, counting the bits of 1s in binary format. In the previous example, 24 means 255.255.255.0 (24 1s) that allows all IPs between 192.168.0.0 and 192.168.0.255. Understanding CIDR format is particularly useful if you plan to run your applications on a server.
API key status
API keys initially have an active status, but they can become inactive over their lifetime. To learn why an API key has changed status and how to return the API key back to an active status, see the following table.
| Status | Reason | Resolution |
|---|---|---|
| Active | No issues. The user can use the key to authenticate API calls. | N/A |
| Disabled | The user disabled the key by disabling the Enable Key toggle. | Enable the Enable Key toggle. |
| Expired | The key's expiration date has passed. | Either remove or set a new expiration date. |
| Auto-Expired | The user hasn't used or updated the key in the past 60 days. | You can either disable then enable the Enable Key toggle, or you can update any of the key's properties, such as the name, description, or expiration date. |
| Revoked | For group keys only. The account that generated the key no longer has the sufficient access permission to manage the group's keys. | Click the Regenerate Key to get a new secret. |
| Moderated | A Roblox admin changed the key's secret for security reasons. | Click the Regenerate Key to get a new secret. |
| User Moderated | The account that generated the key is under moderation by Roblox. | Resolve the moderation issue on the account. |
Introspect API keys
POST api-keys/v1/introspect
Retrieve information about an API key. Verifies whether the key can be used from the requester's IP address and whether the key or the last generated user is moderated.
Request
(application/json)
| Key | Value |
|---|---|
| apiKey | <api_key> |
Example Introspect API Key Requestcurl --location --request POST 'https://apis.roblox.com/api-keys/v1/introspect' \--header 'Content-Type: application/json' \--data '{"apiKey": "your-api-key"}'
Response
There are four possible resource identifiers that can be present in each scope object:
- userId
- groupId
- universeId
- universeDatastore
The userId and groupId identifiers are only relevant to scopes with the creator target. The universeDatastore identifier is only relevant to scopes with the universe-datastore target. The resource identifier will be omitted for scopes that do not support resource selection.
An asterisk (*) in the resource identifier list indicates that the scope has permission on all resources of that type.
Example Introspect API Key Response
{
"name": "test key",
"authorizedUserId": 234,
"scopes": [
{
"name": "universe-datastores.objects",
"operations": [
"create"
],
"universeDatastores": [
{
"universeId": "123",
"datastoreName": "playerData"
}
]
},
{
"name": "asset",
"operations": [
"write"
],
"groupIds": [
"*"
],
"userIds": [
"*"
]
}
],
"enabled": true,
"expired": false,
"expirationTimeUtc": "2026-01-01T12:00:00.000Z"
}