Skip to main content
RoZod provides automatic authentication handling for both browser and server environments, with support for multiple Roblox accounts, cookie rotation, and advanced security features.

Key features

RoZod automatically handles all authentication complexity:

Automatic cookie management

Cookies are automatically sent in browsers and easily configured for servers

Cookie pooling

Use multiple Roblox accounts for load distribution and failover

Security features

Built-in XCSRF token management, HBA signatures, and challenge handling

Cookie rotation

Automatic detection and handling of Roblox’s cookie rotation

Authentication by environment

Browser environments

In browser environments, authentication works automatically when users are logged into Roblox: 
import { fetchApi } from 'rozod';
import { getUsersUserdetails } from 'rozod/lib/endpoints/usersv1';

// Cookies are sent automatically - no setup required!
const userInfo = await fetchApi(getUsersUserdetails, { userIds: [123456] });
No configuration is needed in browsers. RoZod automatically includes cookies from the user’s active Roblox session.

Server environments

For Node.js, Bun, or Deno environments, configure authentication once at startup: 
import { configureServer, fetchApi } from 'rozod';
import { getUsersUserdetails } from 'rozod/lib/endpoints/usersv1';

// Configure once at startup
configureServer({ cookies: 'your_roblosecurity_cookie_here' });

// All subsequent requests automatically include the cookie
const userInfo = await fetchApi(getUsersUserdetails, { userIds: [123456] });
Never commit .ROBLOSECURITY cookies to version control. Always use environment variables or secure secret management.

OpenCloud authentication

For OpenCloud endpoints on apis.roblox.com, use API keys instead of cookies: 
import { configureServer, fetchApi } from 'rozod';
import { v2 } from 'rozod/lib/opencloud';

// Configure OpenCloud API key
configureServer({ cloudKey: 'your_opencloud_api_key_here' });

// All OpenCloud requests automatically include x-api-key header
const universeInfo = await fetchApi(v2.getCloudV2UniversesUniverseId, {
  universe_id: '123456789',
});
You can configure both classic API cookies and OpenCloud keys together: 
configureServer({
  cookies: ['account1', 'account2'],  // For classic *.roblox.com APIs
  cloudKey: 'your_opencloud_key',     // For apis.roblox.com
});
The API key is only applied to OpenCloud endpoints (URLs containing /cloud/). Cookies are applied to all other Roblox APIs.

Configuration management

RoZod provides utilities to manage your server configuration: 
import { configureServer, clearServerConfig, getServerConfig } from 'rozod';

// Check current configuration
const config = getServerConfig();
console.log(config.cookies, config.cloudKey);

// Clear all server configuration
clearServerConfig();

Next steps

Browser authentication

Learn about browser-specific authentication features

Server authentication

Configure authentication for Node.js, Bun, and Deno

Cookie pools

Use multiple accounts for load distribution

Security features

Understand automatic security handling

Build docs developers (and LLMs) love

Get started for freeTalk to us