OAuth 2.0 Authentication

This document describes endpoints that you call to implement the OAuth 2.0 authorization code flow, as well as other endpoints useful for implementing authentication in your apps.

Base URL

https://apis.roblox.com/oauth
Endpoints

GET v1/authorize
POST v1/token
POST v1/token/introspect
POST v1/token/resources
POST v1/token/revoke
GET v1/userinfo
GET .well-known/openid-configuration

Authorization

GET v1/authorize

Obtains authorization from the user to authenticate with their Roblox account. Expects a valid authorization URL constructed with the specified parameters. This endpoint supports PKCE authorization.

Query parameters

NameDescriptionRequiredExample
client_idThe app's client ID.yes816547628409595165403873012
redirect_uriThe URL that users are redirected back to after the completing authorization flow.yeshttps://www.roblox.com/example-redirect
scopeThe requested scopes, space delimited. Use the openid scope to receive an ID token. Use the openid and profile scope to obtain more user information.yesopenid profile
response_typeThe credentials the app wants returned. The default is the authorization code grant type.yesnone, code
promptSpecifies what authentication and consent pages are shown to users. Certain screens are required for third-party apps and can't be skipped.nonone, login, consent, select_account
nonceThe cryptographic number that binds the token with the client.no<random_value_1>
stateAn opaque value that prevents cross-site request forgery, a type of malicious attack. Passed back to the app after authorization.no<app-provided-opaque-value>
code_challengeThe resulting string of applying the code_challenge_method to the code_verifier.noBase64-URL-encoded string
code_challenge_methodThe function that is applied to the code_verifier.noS256

Request

Example Request of Directing to Authorization Flow

https://apis.roblox.com/oauth/v1/authorize?client_id=816547628409595165403873012&redirect_uri=https://my-app.com/redirect&scope=openid&response_type=code&nonce=12345&state=6789

Response

After calling this endpoint, the user is redirected to the specified redirect URL with the authorization code in a code query parameter. The authorization code:

  • Has a lifetime of one minute.
  • Can only be redeemed once.
  • Is invalid after one use.

Token Exchange

To obtain tokens to access APIs, exchange an authorization code for a set of confidential tokens. All token endpoints support two types of client authentication:

  1. HTTP Basic Authentication Scheme with an authorization header: Authorization: Basic Base64 encoded(<client_id>:<client_secret>).
  2. Client ID and secret in the request body as parameters.

The following list describes the various tokens you receive from this endpoint.

  • Access Token - Represents the authorization from a creator or user for a third-party app to access their protected Roblox resources. It's a string denoting a specific scope, lifetime, and other access attributes. Once the Roblox authorization server issues an access token to an app, the token:

    • Is valid for 15 minutes.
    • Can be used multiple times before it expires.
    • Can be invalidated before it expires if an app user revokes the authorization.
  • Refresh Token - Refreshes an authorization session. An app can use the refresh token to obtain a new set of tokens, which includes an access token, a refresh token, and an ID token. A refresh token:

    • Is valid for 6 months.
    • Can only be used once before it expires to refresh tokens.
    • Can be invalidated before it expires if an app user revokes the authorization.
  • ID Token - Provides proof that a user's identity has been authenticated. Its content depends on the scopes requested and can contain basic user information, including a user's Roblox display name and username. The ID token is only for identity authentication purposes and doesn't provide access to any Roblox resources.

POST v1/token

Obtain a set of tokens with an authorization code.

Request

(x-www-form-urlencoded)

KeyValue
code<authorization code>
code_verifier<pkce code verifier value>
grant_typeauthorization_code
client_id<client_id>
client_secret<client_secret>
Example Obtain Token Request

curl --location --request POST 'https://apis.roblox.com/oauth/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=840974200211308101' \
--data-urlencode 'client_secret=RBX-CR9...St12L' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=yCnq4ofX1...XmGpdx'

Response

Example Obtain Token Response

{
"access_token": "...",
"refresh_token": "...",
"token_type": "Bearer",
"expires_in": 899,
"scope": "universe-messaging-service:publish"
}

POST v1/token

Obtain a set of tokens with a refresh token.

Request

(x-www-form-urlencoded)

KeyValue
grant_typerefresh_token
refresh_token<refresh_token>
client_id<client_id>
client_secret<client_secret>
Example Refresh Token Request

curl --location --request POST 'https://apis.roblox.com/oauth/v1/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=Ujfstayclfdlbm...BGydlsnU' \
--data-urlencode 'client_id=840974200211308101' \
--data-urlencode 'client_secret=RBX-CR9...St12L'

Response

Example Refresh Token Request

{
"access_token": "...",
"refresh_token": "...",
"token_type": "Bearer",
"expires_in": 899,
"scope": "universe-messaging-service:publish"
}

POST v1/token/introspect

Receive information about a token. Verifies whether the token is presently valid and hasn't expired yet. Useful for stateless validation. Use only if the API you're accessing doesn't require a resource, such as Assets API, or if you just want to see specific claims of the token.

Request

(x-www-form-urlencoded)

KeyValue
token<access_token>, <refresh_token> or <id_token>
client_id<client_id>
client_secret<client_secret>
Example Introspect Token Request

curl --location --request POST 'https://apis.roblox.com/oauth/v1/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyjlflabtfl...4gxqYBG' \
--data-urlencode 'client_id=840974200211308101' \
--data-urlencode 'client_secret=RBX-CR9...St12L'

Response

Example Introspect Token Response

{
"active": true,
"jti": "RT.2GcjvTduKzk6QY9tjTfm",
"iss": "https://apis.roblox.com/oauth/",
"token_type": "Bearer",
"client_id": "840974200211308101",
"aud": "4239311013248676173",
"sub": "1516563360",
"scope": "universe-messaging-service:publish",
"exp": 1676394509,
"iat": 1660842510
}

POST v1/token/resources

Check whether a token can access a specific resource by obtaining the list of user resources that the user gave permission for. This is useful for stateful validation.

Request

(x-www-form-urlencoded)

KeyValue
token<access_token>
client_id<client_id>
client_secret<client_secret>
Example Obtain Token Resources Request

curl --location --request POST https://apis.roblox.com/oauth/v1/token/resources' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyjlflabtfl...4gxqYBG' \
--data-urlencode 'client_id=840974200211308101' \
--data-urlencode 'client_secret=RBX-CR9...St12L'

Response

Example Obtain Token Resources Response

{
"resource_infos": [
{
"owner": {
"id": "1516563360",
"type": "User"
},
"resources": {
"universe": {
"ids": ["3828411582"]
}
}
}
]
}

POST v1/token/revoke

Revoke an authorization session using the provided refresh token.

Request

(x-www-form-urlencoded)

KeyValue
token<refresh_token>
client_id<client_id>
client_secret<client_secret>
Example Revoke Token Request

curl --location --request POST https://apis.roblox.com/oauth/v1/token/revoke' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=Ujfstayclfdlbm...BGydlsnU' \
--data-urlencode 'client_id=840974200211308101' \
--data-urlencode 'client_secret=RBX-CR9...St12L'

Response

200 OK with an empty response

User Information

GET /v1/userinfo

Gets the Roblox user ID and other user metadata.

Request

Authorization header: Authorization: Bearer <access_token>

Example Get User Info Request

curl --location --request GET 'https://apis.roblox.com/oauth/v1/userinfo' \
--header 'Authorization: Bearer eyjlflabtfl...4gxqYBG'

Response

You can use the sub value to uniquely identify the user. Users can change their Roblox username and display name, so don't use them as unique identifiers to refer to users on your app.

ClaimDescription
subRoblox user ID.
nameRoblox display name.
nicknameRoblox display name.
preferred_usernameRoblox username.
created_atCreation time of the Roblox account as a Unix timestamp.
profileRoblox account profile URL.
pictureRoblox avatar headshot image. Can be null if the avatar headshot image hasn't yet been generated or has been moderated.
Example User with Profile Scope

{
"sub": "1516563360",
"name": "exampleuser",
"nickname": "exampleuser",
"preferred_username": "exampleuser",
"created_at": 1584682495,
"profile": "https://www.roblox.com/users/1516563360/profile",
"picture": "https://tr.rbxcdn.com/03dc2a9abe7b1aacaaf93ea46d5c0646/150/150/AvatarHeadshot/Png"
}
Example User without Profile Scope

{
"sub": "1516563360"
}

Discovery

The OpenID Connect (OIDC) Discovery Document is a JSON document that contains metadata about the Open Cloud configuration details, including a list of identity-related scopes and claims that are supported. You can use it to dynamically discover information about Open Cloud OAuth 2.0 endpoints and configuration, such as the authorization endpoint, token endpoint, and public key set.

After retrieving and fetching the Discovery Document from the Discovery document URI, you can either manually inspect fields in the response to verify the information, or you can create your own custom library mapping to fields in the response schema to automate your workflow.

GET .well-known/openid-configuration

Response

All Discovery Document responses follow the same schema as the following example response.

Example Discovery Document Response

{
"issuer": "https://apis.roblox.com/oauth/",
"authorization_endpoint": "https://apis.roblox.com/oauth/v1/authorize",
"token_endpoint": "https://apis.roblox.com/oauth/v1/token",
"introspection_endpoint": "https://apis.roblox.com/oauth/v1/token/introspect",
"revocation_endpoint": "https://apis.roblox.com/oauth/v1/token/revoke",
"resources_endpoint": "https://apis.roblox.com/oauth/v1/token/resources",
"userinfo_endpoint": "https://apis.roblox.com/oauth/v1/userinfo",
"jwks_uri": "https://apis.roblox.com/oauth/v1/certs",
"registration_endpoint": "https://create.roblox.com/dashboard/credentials",
"service_documentation": "https://create.roblox.com/docs/reference/cloud",
"scopes_supported": [
"openid",
"profile",
"email",
"verification",
"credentials",
"age",
"premium",
"roles"
],
"response_types_supported": ["none", "code"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["ES256"],
"claims_supported": [
"sub",
"type",
"iss",
"aud",
"exp",
"iat",
"nonce",
"name",
"nickname",
"preferred_username",
"created_at",
"profile",
"email",
"email_verified",
"verified",
"age_bracket",
"premium",
"roles",
"internal_user"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
]
}