You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en-us/cloud/auth/api-keys.md
+9-13Lines changed: 9 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ Group API keys are being deprecated and will not be supported after January 30,
20
20
21
21
You can create and configure API keys to access your resources. An API key's access is determined by the permissions of the user who owns it. This means it can generally access any resource the user has permissions for, including their individual experiences and any [group-owned](../../projects/groups.md) experiences where they have the appropriate role. Some scopes can be restricted to specific experiences, but not all.
22
22
23
-
For details on how to create API keys for managing group resources, see the [Create API Keys for Managing Group-owned Resources](#create-api-keys-for-managing-group-owned-resources) section below.
23
+
For details on how to create API keys for managing group resources, see the [Create API keys for managing group-owned resources](#create-api-keys-for-managing-group-owned-resources) section below.
24
24
25
25
To create an API key:
26
26
@@ -46,10 +46,6 @@ To create an API key:
46
46
47
47
For a list of all scopes and the APIs they support, see [Scopes](../reference/scopes.md).
48
48
49
-
<Alertseverity="warning">
50
-
For security reasons, give each API key the minimum number of required permissions. If an API key leaks, this principle of least privilege ensures that only a subset of your resources are compromised.
51
-
</Alert>
52
-
53
49
1.**(Optional)** In the **Security** section, explicitly restrict IP access to the key using [CIDR
54
50
notation](#cidr-format). You can find
55
51
the IP address of your local machine and add it to the **Accepted IP
@@ -71,16 +67,16 @@ To create an API key:
71
67
your application. Never share it with untrusted parties, such as anyone outside
72
68
of your development team. </Alert>
73
69
74
-
## Create API Keys for Managing Group-owned Resources
70
+
## Create API keys for managing group-owned resources
75
71
76
-
An API key grants access to all resources the user account has permissions for, including personal experiences outside of the group. If you use your personal account's API key for group automation and that key is compromised, other resources you may have access to are also at risk.
72
+
An API key grants access to all resources the user account has permissions for, including personal experiences outside of the group. If you use your personal account's API key for group automation and that key is compromised, other resources you have access to are also at risk.
77
73
78
74
To prevent this, we **strongly recommend** creating a separate API key on a dedicated alternate account with access strictly limited to the target group. This new account dedicated for automation purposes should only be given access to the target group and granted the minimal permissions required for its task.
79
75
80
76
1. Create a new, dedicated Roblox account for your automation.
81
77
1. Invite the new account to your group.
82
78
1. Assign it a group role with the minimum permissions required for its task (e.g., only "Create and edit group experiences").
83
-
1. Log into the new account and follow the steps in the section above to [create an API key](#create-api-keys).
79
+
1. Log in to the new account and follow the steps in the section above to [create an API key](#create-api-keys).
84
80
1. Use the generated API key for group resource automation.
85
81
86
82
## Best Practices For Managing API Keys
@@ -91,15 +87,15 @@ API keys are sensitive credentials that should be kept secure to prevent unautho
91
87
92
88
-**Select the minimum permissions needed**: When configuring scopes, select the minimum permissions necessary for the key's intended use. For those scopes that allow you to restrict scope access by experience, limit access to only the specific experiences that are needed.
93
89
94
-
-**Use IP Address restrictions**: Restrict API key access to specific IP addresses or CIDR ranges to prevent unauthorized usage from unknown locations. Do not use IP Address restrictions when using your API key in Roblox places to ensure your key can be used with Roblox servers.
90
+
-**Use IP address restrictions**: Restrict API key access to specific IP addresses or CIDR ranges to prevent unauthorized usage from unknown locations. Do not use IP address restrictions when using your API key in Roblox places to ensure your key can be used with Roblox servers.
95
91
96
-
-**Set expiration dates**: For short-term use cases, configure expiration dates to automatically disable keys after a set period, reducing the risk if a key is compromised. Setting expiration dates is not recommended for longer-term use cases unless you have a key rotation process in place, as your automation may unexpectedly fail when the key expires.
92
+
-**Set expiration dates**: For short-term use cases, configure expiration dates to automatically disable keys after a set period, reducing the risk if a key is compromised. Setting expiration dates is not recommended for longer-term use cases unless you have a key rotation process in place, as your automation can unexpectedly fail when the key expires.
97
93
98
-
-**Use dedicated alternate accounts for group resource management**: Use a dedicated account with minimal permissions for group resource management, as detailed in the [Create API Keys for Managing Group-owned Resources](#create-api-keys-for-managing-group-owned-resources) section.
94
+
-**Use dedicated alternate accounts for group resource management**: Use a dedicated account with minimal permissions for group resource management, as detailed in the [Create API keys for managing group-owned resources](#create-api-keys-for-managing-group-owned-resources) section.
99
95
100
-
-**Store API keys securely**: Never store API keys directly in your source code, version control systems, or scripts where they could be exposed. Prefer using a secrets management system for storing and controlling access to your keys. In Roblox places, you should use [Secrets Store](cloud-services/secrets).
96
+
-**Store API keys securely**: Never store API keys directly in your source code, version control systems, or scripts where they could be exposed. Use a secrets management system for storing and controlling access to your keys. In Roblox places, use a[Secrets Store](cloud-services/secrets).
101
97
102
-
-**Do not share API Keys through public channels**: Never share API keys through public communication channels, forums, or social media. Only share keys through secure, private channels with trusted team members. Limit access to who you share your keys with to minimize the blast radius if a key is compromised.
98
+
-**Do not share API keys through public channels**: Never share API keys through public communication channels, forums, or social media. Only share keys through secure, private channels with trusted team members. Limit access to who you share your keys with to minimize the blast radius if a key is compromised.
![rbx-open-source-docs[bot]](https://avatars.githubusercontent.com/in/357490?v=4&size=40){kind=avatar}
0 commit comments