Quickstart
Run a live API self-test inside Roblox Studio.
- 1
Create an account, verify email, set a password, and enable Google Authenticator from Security.
- 2
Create a live key from Keys. The raw key is shown once, then stored only as a hash on the VPS.
- 3
Add the Lua SDK as a ModuleScript named RobloxAPIs in ServerScriptService.
- 4
Call RunStudioSelfTests from a server script to validate safe write/read flows across the live APIs.
local HttpService = game:GetService("HttpService")
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
local summary, err = client:RunStudioSelfTests({
userId = 156,
renderSign = true
})
if err then
warn("RobloxAPIs self-test failed to start", err.statusCode)
return
end
print(HttpService:JSONEncode(summary))
Install SDK
Roblox Lua ModuleScript
The SDK is hosted at /sdk/robloxapis.lua. Paste it into a ModuleScript named RobloxAPIs. Server-side placement is recommended so live keys never enter client scripts.
Placement
ServerScriptService
Use server scripts for authenticated calls. Never expose production keys to LocalScripts.
Network
HttpService
Enable HTTP requests for the experience before using live API routes.
Version
v1 Routes
All current SDK methods target /api/v1/... and return JSON.
Studio self-test
One call validates the current live API surface.
RunStudioSelfTests writes temporary test data, reads it back, and cleans up the records that should not remain active. It currently covers Experience Config, Storage Vault, Cross-Game Ban, Trade Guard, Receipt Ledger, Entitlement Mirror, Inventory Snapshot, Quest Templates, Progression Cloud, Group Sync, Economy Guard, Session Analytics, Feature Flags, Webhook Events, Live Messaging, Matchmaking Queue, and Server Directory.
| Check | What it proves |
|---|
| Experience Config | A game server can store config, fetch it, and render it as an in-world sign. |
| Storage Vault | JSON objects can be stored, fetched, and deleted under the shared workspace quota. |
| Cross-Game Ban | A temporary scoped ban can be created, detected, and revoked. |
| Trade Guard | A fake trade can be scored once, detected as duplicate, and looked up by trade id. |
| Receipt Ledger | A fake receipt ID is granted once and detected as duplicate on the second call. |
| Entitlement Mirror | A scoped VIP-style entitlement is granted, checked, listed, and revoked. |
| Inventory Snapshot | An item is saved, equipped into a loadout slot, fetched, listed, and deleted. |
| Quest Templates | A reusable quest is saved, assigned to a user, progressed to completion, listed, and cleaned up. |
| Progression Cloud | Quest progress, XP, and claimed rewards can be updated and read back. |
| Group Sync | A sample policy can be stored for a group policy graph. |
| Economy Guard | An economy event is scored and archived. |
| Session Analytics | Session events are written, summarized, listed for a player, and deleted. |
| Feature Flags | A temporary experiment is saved, assigned to a player, exposed, listed, and deleted. |
| Webhook Events | A live ops event is accepted into the event stream. |
| Live Messaging | A short-lived message can be published, polled, read, and revoked. |
| Matchmaking Queue | A party ticket can be created, matched, listed, looked up, and cancelled. |
| Server Directory | A live server heartbeat can be saved, listed, read, and removed. |
Authentication
API keys are separate from website sessions.
In-game requests authenticate with either an Authorization bearer token or an X-API-Key header.
Authorization: Bearer rba_sk_live_your_key
X-API-Key: rba_sk_live_your_key
| Control | Behavior |
|---|
| One-time reveal | Raw keys are shown only at creation time. |
| Hashing | Keys are stored as HMAC hashes using the server secret. |
| 2FA gate | Key creation requires Google Authenticator enabled. |
| Shared storage | Storage is pooled at the workspace plan level. Keys track request counts and last-used timestamps. |
Physically testable API
Experience Config API
This API stores a live configuration payload and reads it back from Roblox Studio. The SDK helper can render that payload onto a sign so the test is visible in the game world.
client:SetExperienceConfig("studio-sign", {
title = "Roblox APIs Live Test",
message = "Fetched live from robloxapis.com",
accent = "#20E3B2",
variant = "success"
})
local rendered, err = client:ApplyExperienceConfigSign("studio-sign", {
position = Vector3.new(0, 6, 0)
})
Trade safety
Trade Guard API
Trade Guard verifies a player-to-player trade before the game finalizes it. It stores the trade id once, detects duplicate submissions, scores suspicious value imbalance or rapid trade velocity, and returns a decision the server can enforce.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
local result, err = client:VerifyTrade({
tradeId = tradeId,
fromUserId = sender.UserId,
toUserId = receiver.UserId,
offeredItems = {
{ itemId = "crystal_sword", quantity = 1, value = 1200 }
},
requestedItems = {
{ itemId = "gold_pack", quantity = 1, value = 900 }
}
})
if err or result.decision == "block" or result.decision == "review" then
return false
end
Monetization safety
Receipt Ledger API
Receipt Ledger stores developer product receipts once. The first verification returns duplicate: false; later calls with the same purchase id return duplicate: true so grants stay idempotent.
local MarketplaceService = game:GetService("MarketplaceService")
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
MarketplaceService.ProcessReceipt = function(receiptInfo)
local result, err = client:VerifyReceipt(receiptInfo, {
grant = "vip_pack",
metadata = { source = "ProcessReceipt" }
})
if err then
return Enum.ProductPurchaseDecision.NotProcessedYet
end
if not result.duplicate then
-- Grant the product here.
end
return Enum.ProductPurchaseDecision.PurchaseGranted
end
Shared player inventory
Inventory Snapshot API
Inventory Snapshot mirrors item ownership, quantities, attributes, metadata, and equipped loadout slots under the shared workspace quota. Use it when multiple places need the same player inventory view without duplicating item state in every experience.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
client:SetInventoryItem(player.UserId, "crystal-sword", {
type = "weapon",
quantity = 1,
attributes = {
rarity = "rare",
power = 120
}
})
client:UpdateInventoryItem(player.UserId, "crystal-sword", {
equipped = true,
loadoutSlot = "primary"
})
local inventory, err = client:ListInventory(player.UserId, {
itemType = "weapon",
equipped = true
})
In-game telemetry
Session Analytics API
Session Analytics stores player and server events with session ids, event types, numeric values, and custom properties. Use it for round completion, onboarding funnels, retention signals, map performance, and other server-authored events that should be queryable outside Roblox DataStores.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
client:TrackAnalyticsEvents({
{
eventId = "join_" .. player.UserId .. "_" .. game.JobId,
userId = player.UserId,
sessionId = game.JobId,
eventType = "session_started",
value = 1,
properties = {
map = workspace:GetAttribute("MapName")
}
},
{
eventId = "round_" .. player.UserId .. "_" .. os.time(),
userId = player.UserId,
sessionId = game.JobId,
eventType = "round_completed",
value = 120,
properties = {
result = "win"
}
}
})
local summary, err = client:GetAnalyticsSummary({
sessionId = game.JobId,
sinceMinutes = 60
})
Experiments and live ops
Feature Flags API
Feature Flags stores rollout definitions and returns deterministic player assignments. Use it for A/B tests, seasonal toggles, economy tuning, UI variants, beta access, and emergency kill switches without publishing a new Roblox build.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
client:SetFeatureFlag("double-xp", {
enabled = true,
defaultVariant = "control",
rolloutPercent = 50,
variants = {
{ key = "control", weight = 50, payload = { multiplier = 1 } },
{ key = "treatment", weight = 50, payload = { multiplier = 2 } }
}
})
local result, err = client:GetFeatureAssignment("double-xp", player.UserId)
if not err then
local assignment = result.assignment
player:SetAttribute("XpMultiplier", assignment.payload.multiplier or 1)
client:TrackFeatureExposure("double-xp", {
exposureId = "double-xp-" .. player.UserId .. "-" .. game.JobId,
userId = player.UserId,
variant = assignment.variant,
sessionId = game.JobId
})
end
In-game progression
Progression Cloud API
Progression Cloud stores player level, XP, streaks, quests, and claimed rewards by season. Use PATCH for small in-game updates like quest progress or streak changes.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
client:SetProgression(player.UserId, {
season = "s1",
level = 1,
xp = 0,
quests = {
daily_win = { progress = 0, goal = 2 }
}
})
local updated, err = client:UpdateProgression(player.UserId, {
season = "s1",
quest = "daily_win",
progress = 1,
goal = 2,
incrementXp = true,
xp = 150
})
Policy graph
Group Sync API
Group Sync stores moderation and role policy for Roblox groups connected to a studio workflow. It is useful for shared moderator roles, linked universe lists, and deciding whether Cross-Game Ban enforcement should apply to a group network.
client:SetGroupPolicy(123456, {
enforceCrossGameBans = true,
trustedRoles = { "Admin", "Moderator" },
linkedUniverses = { tostring(game.GameId) },
notes = "Production policy"
})
Cross-server operations
Live Messaging API
Live Messaging stores short-lived announcements, event toggles, shutdown warnings, or admin broadcasts that game servers can poll by topic. Messages can be scoped by universe or server job, and revoked when an operation changes.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
client:PublishLiveMessage("event.double_xp", {
enabled = true,
minutes = 30
}, {
priority = "high",
ttlSeconds = 1800
})
local inbox, err = client:PollLiveMessages({
topic = "event.double_xp",
limit = 10
})
if not err then
for _, message in ipairs(inbox.messages) do
print(message.topic, message.payload.enabled)
end
end
Queue handoff
Matchmaking Queue API
Matchmaking Queue creates short-lived party tickets with mode, region, skill, and party metadata. The API returns either a queued state or a matched handoff object that your server can use to coordinate the next teleport or server reservation step.
local RobloxAPIs = require(script.RobloxAPIs)
local client = RobloxAPIs.new("rba_sk_live_your_key")
local ticket, err = client:CreateMatchmakingTicket(player.UserId, {
partyId = "party-123",
party = {
{ userId = player.UserId, role = "leader", ready = true }
},
mode = "ranked_2v2",
region = "auto",
skill = 1200,
autoMatch = true
})
if not err and ticket.ticket.status == "matched" then
print(ticket.ticket.matchId, ticket.ticket.reservedServerCode)
end
API reference
Current v1 routes
| Method | Route | Purpose |
|---|
| PUT | /api/v1/experience/configs/{configKey} | Store live config for Studio or game servers. |
| GET | /api/v1/experience/configs/{configKey} | Fetch stored config payload. |
| POST | /api/v1/cross-ban/check | Check moderation state for a Roblox user. |
| POST | /api/v1/cross-ban/bans | Create or update an active ban record. |
| GET | /api/v1/cross-ban/bans | List active ban records for the workspace. |
| DELETE | /api/v1/cross-ban/bans/{banId} | Revoke one active ban record. |
| GET | /api/v1/intel/users/{userId} | Read risk and policy metadata for a player. |
| PUT | /api/v1/vault/objects/{objectKey} | Store arbitrary JSON against the API key owner. |
| GET | /api/v1/vault/objects/{objectKey} | Read a stored JSON object. |
| DELETE | /api/v1/vault/objects/{objectKey} | Delete a stored JSON object. |
| POST | /api/v1/economy/signals | Archive an economy event and risk score. |
| POST | /api/v1/analytics/events | Store one or many player/session telemetry events. |
| GET | /api/v1/analytics/summary | Read event counts, unique users, sessions, and grouped event-type metrics. |
| GET | /api/v1/analytics/users/{userId}/events | List recent analytics events for one Roblox user. |
| DELETE | /api/v1/analytics/events/{eventId} | Delete one stored analytics event, mainly for cleanup or bad emits. |
| GET | /api/v1/flags | List feature flags, optionally filtered to enabled or disabled definitions. |
| GET | /api/v1/flags/{flagKey} | Read one feature flag definition and rollout configuration. |
| PUT | /api/v1/flags/{flagKey} | Create or replace a deterministic feature flag with variants and rollout percent. |
| DELETE | /api/v1/flags/{flagKey} | Delete one feature flag and its exposure records. |
| GET | /api/v1/flags/{flagKey}/assignments/{userId} | Get the deterministic variant assignment for one Roblox user. |
| POST | /api/v1/flags/{flagKey}/exposures | Record that a user saw or used an assigned variant. |
| POST | /api/v1/trades/verify | Verify and score a player-to-player trade before finalization. |
| GET | /api/v1/trades/{tradeId} | Read a stored trade decision and item snapshot. |
| POST | /api/v1/receipts/verify | Verify and store a developer product receipt once. |
| GET | /api/v1/receipts/{receiptId} | Read a stored receipt ledger entry. |
| POST | /api/v1/entitlements/grant | Grant or update a mirrored pass, VIP flag, subscription, bundle, or cosmetic. |
| POST | /api/v1/entitlements/check | Check one or many entitlements for a player with optional scope matching. |
| GET | /api/v1/entitlements/users/{userId} | List mirrored entitlements for one Roblox user. |
| PUT | /api/v1/entitlements/users/{userId}/{entitlementId} | Upsert a specific scoped entitlement for one user. |
| DELETE | /api/v1/entitlements/users/{userId}/{entitlementId} | Revoke a specific scoped entitlement for one user. |
| GET | /api/v1/inventory/users/{userId} | List active player inventory items by type, equipped state, slot, or status. |
| GET | /api/v1/inventory/users/{userId}/items/{itemId} | Read one mirrored inventory item. |
| PUT | /api/v1/inventory/users/{userId}/items/{itemId} | Create or replace an item snapshot with quantity, attributes, metadata, and loadout state. |
| PATCH | /api/v1/inventory/users/{userId}/items/{itemId} | Update item quantity, equipped state, loadout slot, attributes, or metadata. |
| DELETE | /api/v1/inventory/users/{userId}/items/{itemId} | Remove one item from the active inventory snapshot. |
| GET | /api/v1/quests/templates | List reusable quest templates by season, cadence, tag, or active status. |
| GET | /api/v1/quests/templates/{templateKey} | Read one reusable quest template. |
| PUT | /api/v1/quests/templates/{templateKey} | Create or update a daily, weekly, seasonal, event, or custom quest template. |
| DELETE | /api/v1/quests/templates/{templateKey} | Deactivate one quest template. |
| POST | /api/v1/quests/assignments | Assign a template to a player with starter progress. |
| GET | /api/v1/quests/assignments/users/{userId} | List a player's quest assignments. |
| GET | /api/v1/quests/assignments/{assignmentId} | Read one quest assignment. |
| PATCH | /api/v1/quests/assignments/{assignmentId} | Update objective progress, status, metadata, or claimed rewards. |
| DELETE | /api/v1/quests/assignments/{assignmentId} | Delete one quest assignment. |
| GET | /api/v1/progression/users/{userId} | Fetch stored seasonal player progression. |
| PUT | /api/v1/progression/users/{userId} | Replace a player's seasonal progression profile. |
| PATCH | /api/v1/progression/users/{userId} | Apply quest, XP, streak, reward, or flag updates. |
| DELETE | /api/v1/progression/users/{userId} | Delete one seasonal progression profile. |
| POST | /api/v1/webhooks/events | Store live ops events for downstream delivery. |
| POST | /api/v1/live-messages/publish | Publish a short-lived message for game servers. |
| GET | /api/v1/live-messages/poll | Poll active messages by topic, universe, server, or timestamp. |
| GET | /api/v1/live-messages/{messageId} | Read one stored live message. |
| DELETE | /api/v1/live-messages/{messageId} | Revoke one active live message. |
| POST | /api/v1/matchmaking/tickets | Create a short-lived party ticket and optional match handoff. |
| GET | /api/v1/matchmaking/tickets | List matchmaking tickets by status, mode, or player. |
| GET | /api/v1/matchmaking/tickets/{ticketId} | Read one matchmaking ticket. |
| DELETE | /api/v1/matchmaking/tickets/{ticketId} | Cancel one matchmaking ticket. |
| POST | /api/v1/servers/heartbeat | Register or refresh a live game server directory entry. |
| GET | /api/v1/servers | List active servers by mode, region, universe, place, or status. |
| GET | /api/v1/servers/{serverId} | Read one live server directory entry. |
| DELETE | /api/v1/servers/{serverId} | Remove one server from the live directory. |
| GET | /api/v1/groups/{groupId}/policy | Read stored group policy and role sync configuration. |
| PATCH | /api/v1/groups/{groupId}/policy | Patch group policy and role sync configuration. |
| PUT | /api/v1/groups/{groupId}/policy | Replace group policy and role sync configuration. |
| POST | /api/v1/roblox/open-cloud/introspect | Verify a Roblox Open Cloud API key with Roblox. |
Errors
Every failure returns JSON.
{
"ok": false,
"error": "invalid_api_key"
}
| Status | Error | Meaning |
|---|
| 400 | invalid_json | The request body could not be parsed. |
| 400 | receipt_id_required | Receipt verification is missing a purchase or receipt id. |
| 400 | trade_id_required | Trade verification is missing a stable trade id. |
| 400 | valid_trade_users_required | Trade verification is missing valid sender or receiver user ids. |
| 400 | valid_product_id_required | Receipt verification is missing a numeric developer product id. |
| 400 | valid_user_id_required | The route or body is missing a valid Roblox user id. |
| 400 | valid_flag_and_user_required | A Feature Flags assignment or exposure is missing a valid flag key or Roblox user id. |
| 401 | invalid_api_key | The key is missing, revoked, or unknown. |
| 404 | flag_not_found | The requested Feature Flags definition has not been created yet. |
| 413 | storage_quota_exceeded | The write would exceed the workspace storage quota. |
| 429 | api_rate_limited | The plan's per-minute limit was exceeded. |
| 500 | api_internal_error | The request failed unexpectedly. |
Security
Operational security rules for Roblox games.
KeysServer only
Never place live keys in LocalScripts, public assets, or client-delivered modules.
RotationRotate on leak
Revoke exposed keys from the dashboard and create a replacement key.
AuditReview usage
Request logs, storage usage, and audit events make suspicious traffic visible.
Release process
Versioned routes, documented changes, and visible status.
Breaking API changes should ship under a new version path. Non-breaking SDK helpers can be added to the hosted Lua and JS SDKs. Product-facing changes are tracked in the changelog and service availability is summarized on the status page.