Reference API Roblox

Engine API

Website

Related

Reference API Roblox

HttpService

Allows sending HTTP requests and provides various web-related and JSON methods.

This class is not creatable. Instances of this class cannot be created with Instance.new.
This class is a service. It is a singleton that may be acquired with GetService.
Memory categoryInstances
Tags: [NotCreatable, Service]

Member index 13

HistoryMember
615HttpEnabled: bool
538GenerateGUID(wrapInCurlyBraces: bool = true): string
622GetAsync(url: Variant, nocache: bool = false, headers: Variant): string
462GetHttpEnabled(): bool
596GetSecret(key: string): Secret
462GetUserAgent(): string
557JSONDecode(input: string): Variant
554JSONEncode(input: Variant): string
622PostAsync(url: Variant, data: string, content_type: HttpContentType = ApplicationJson, compress: bool = false, headers: Variant): string
462RequestAsync(requestOptions: Dictionary): Dictionary
462RequestInternal(options: Dictionary): Instance
573SetHttpEnabled(enabled: bool): null
538UrlEncode(input: string): string
inherited from Instance
553Archivable: bool
670Capabilities: SecurityCapabilities
553Name: string
553Parent: Instance
670Sandboxed: bool
616UniqueId: UniqueId
576AddTag(tag: string): null
573ClearAllChildren(): null
462Clone(): Instance
573Destroy(): null
486FindFirstAncestor(name: string): Instance
486FindFirstAncestorOfClass(className: string): Instance
486FindFirstAncestorWhichIsA(className: string): Instance
486FindFirstChild(name: string, recursive: bool = false): Instance
486FindFirstChildOfClass(className: string): Instance
486FindFirstChildWhichIsA(className: string, recursive: bool = false): Instance
486FindFirstDescendant(name: string): Instance
563GetActor(): Actor
486GetAttribute(attribute: string): Variant
462GetAttributeChangedSignal(attribute: string): RBXScriptSignal
631GetAttributes(): Dictionary
648GetChildren(): Instances
462GetDebugId(scopeLength: int = 4): string
486GetDescendants(): Array
486GetFullName(): string
641GetStyled(name: string): Variant
657GetStyledPropertyChangedSignal(property: string): RBXScriptSignal
576GetTags(): Array
576HasTag(tag: string): bool
486IsAncestorOf(descendant: Instance): bool
486IsDescendantOf(ancestor: Instance): bool
664IsPropertyModified(property: string): bool
573Remove(): null
576RemoveTag(tag: string): null
664ResetPropertyToDefault(property: string): null
573SetAttribute(attribute: string, value: Variant): null
462WaitForChild(childName: string, timeOut: double): Instance
648children(): Instances
553clone(): Instance
573destroy(): null
553findFirstChild(name: string, recursive: bool = false): Instance
648getChildren(): Instances
553isDescendantOf(ancestor: Instance): bool
573remove(): null
462AncestryChanged(child: Instance, parent: Instance)
462AttributeChanged(attribute: string)
462ChildAdded(child: Instance)
462ChildRemoved(child: Instance)
462DescendantAdded(descendant: Instance)
462DescendantRemoving(descendant: Instance)
500Destroying()
657StyledPropertiesChanged()
553childAdded(child: Instance)
inherited from Object
647ClassName: string
647className: string
647GetPropertyChangedSignal(property: string): RBXScriptSignal
647IsA(className: string): bool
650isA(className: string): bool
647Changed(property: string)

Description

HttpService allows HTTP requests to be sent from game servers using RequestAsync, GetAsync and PostAsync. This service allows games to be integrated with off-Roblox web services such as analytics, data storage, remote server configuration, error reporting, advanced calculations or real-time communication. Additionally, a few Roblox web APIs can also be accessed via HttpService (see below).

HttpService also houses the JSONEncode and JSONDecode methods which are useful for communicating with services that use the JSON format. In addition, the GenerateGUID method provides random 128‑bit labels which can be treated as probabilistically unique in a variety of scenarios.

You should only send HTTP requests to trusted third-party platforms to avoid making your experience vulnerable to security risks.

This property cannot be interacted with at runtime.

Enable HTTP requests

Request-sending methods aren't enabled by default. To send requests, you must enable HTTP requests for your experience.

Use in plugins

HttpService can be used by Studio plugins. They may do this to check for updates, send usage data, download content, or other business logic. The first time a plugin attempts to do this, the user may be prompted to give the plugin permission to communicate with the particular web address. A user may accept, deny, and revoke such permissions at any time through the Plugin Management window.

Plugins may also communicate with other software running on the same computer through the localhost and 127.0.0.1 hosts. By running programs compatible with such plugins, you can extend the functionality of your plugin beyond the normal capabilities of Studio, such as interacting with your computer's file system. Beware that such software must be distributed separately from the plugin itself and can pose security hazards if you aren't careful.

Calling Roblox domains

HttpService can currently only call a subset of the Open Cloud endpoints. We plan to extend this set over time so please use the Feedback button if you have specific endpoints you'd like to see:

Groups

Data Stores

Due to current restrictions on HttpService, only alphanumeric characters and the - character are allowed in URL path parameters to Roblox domains. This means Data Stores/entries with other special characters are currently inaccessible from HttpService.

Inventory Items

Creator Store

You can call these endpoints the same way that you'd call any other endpoint via HttpService. The only difference is that you must include an Open Cloud API key in the request:

  1. Create an Open Cloud API key.
  2. Save the API key to your secrets store.
  3. Make the request (code example below).

Limitations include the following:

  • Only the x-api-key and content-type headers are allowed.
  • The x-api-key header must be a Secret.
  • Only alphanumeric characters and the - character are allowed in URL path parameters.
  • Only the https:// protocol is supported.

Rate Limiting

For each Roblox game server, there is a limit of 500 HTTP requests per minute. Exceeding this can cause request-sending methods to stall entirely for around 30 seconds. Your pcall() may also fail with a message of "Number of requests exceeded limit."

  • Open Cloud requests consume the same overall limit of 500 HTTP requests per minute enforced on all other requests.

  • Each Open Cloud endpoint has its own limit per API key owner (can be a user or a group) that is enforced no matter where the calls come from (HttpService, the web, etc.). The following headers are returned with every response and allow you to view the limits and your remaining quota:

    • x-ratelimit-limit - The total number of requests allowed to be made per API key owner (usually per minute).
    • x-ratelimit-remaining - The number of requests the API key used is still allowed to make. If this number is 0 and you receive a HTTP 429 response status code, then you have reached the rate limit for this endpoint.
    • x-ratelimit-reset - The number of seconds left before the rate limit resets (i.e before x-ratelimit-remaining resets to x-ratelimit-limit).

Additional considerations

  • There are port restrictions. You cannot use port 1194 or any port below 1024, except 80 and 443. If you try to use a blocked port, you will receive either a 403 Forbidden or ERR_ACCESS_DENIED error.
  • Web requests can fail for many reasons, so it is important to "code defensively" (use pcall()) and have a plan for when requests fail.
  • Although the http:// protocol is supported, you should use https:// wherever possible.
  • Requests sent should provide a secure form of authentication, such as a pre-shared secret key, so that bad actors cannot pose as one of your Roblox game servers.
  • Be aware of the general capacity and rate-limiting policies of the web servers to which requests are being sent.

History 55

Members 13

GenerateGUID

Parameters (1)Default
wrapInCurlyBracesbooltrue
Returns (1)
string

This method generates a random universally unique identifier (UUID) string. The sixteen octets of a UUID are represented as 32 hexadecimal (base 16) digits, displayed in five groups separated by hyphens in the form 8-4-4-4-12 for a total of 36 characters, for example 123e4567-e89b-12d3-a456-426655440000.

The UUID specification used is Version 4 (random), variant 1 (DCE 1.1, ISO/IEC 11578:1996). UUIDs of this version are the most commonly used due to their simplicity, as they are entirely randomly generated. Note that this version does not have certain features that other UUID versions have, such as encoded timestamps, MAC addresses, or time-based sorting like UUIDv7 or ULID.

There are over 5.3×1036 unique v4 UUIDs, in which the probability of finding a duplicate within 103 trillion UUIDs is one in a billion.

The wrapInCurlyBraces argument determines whether the returned string is wrapped in curly braces ({}). For instance:

  • true: {94b717b2-d54f-4340-a504-bd809ef5bf5c}
  • false: db454790-7563-44ed-ab4b-397ff5df737b
Thread safetySafe

History 4

GetAsync

Parameters (3)Default
urlVariant
nocacheboolfalse
headersVariant
Returns (1)
string

This method sends an HTTP GET request. It functions similarly to RequestAsync() except that it accepts HTTP request parameters as method parameters instead of a single dictionary and returns only the body of the HTTP response. Generally, this method is useful only as a shorthand and RequestAsync() should to be used in most cases.

When true, the nocache parameter prevents this method from caching results from previous calls with the same url.

This function yields. It will block the calling thread until completion.
Thread safetyUnsafe

History 7

Tags: [Yields]

GetHttpEnabled

Parameters (0)
No parameters.
Returns (1)
bool
SecurityRobloxScriptSecurity
Thread safetyUnsafe

History 4

GetSecret

Parameters (1)
keystring
Returns (1)
Secret

This method returns a value previously added to the secrets store for the experience. The secret content is not printable and not available when the experience runs locally.

The returned Secret can be transformed using built-in methods such as Secret:AddPrefix(). It is expected to be sent as a part of an HTTP request.

For more information, see the usage guide.

Thread safetySafe

History 1

GetUserAgent

Parameters (0)
No parameters.
Returns (1)
string
SecurityRobloxScriptSecurity
Thread safetyUnsafe

History 2

HttpEnabled

TypeDefault
boolfalse

When set to true, allows scripts to send requests to websites using HttpService:GetAsync(), HttpService:PostAsync(), and HttpService:RequestAsync().

This property must be toggled on through the Game Settings interface in Studio, or for unpublished experiences by setting this property to true using the Command Bar:

game:GetService("HttpService").HttpEnabled = true

Write securityLocalUserSecurity
Thread safetyReadSafe
CategoryData
Loaded/Savedtrue

History 5

JSONDecode

Parameters (1)
inputstring
Returns (1)
Variant

This method transforms a JSON object or array into a Luau table with the following characteristics:

  • Keys of the table are strings or numbers but not both. If a JSON object contains both, string keys are ignored.
  • An empty JSON object generates an empty Luau table ({}).
  • If the input string is not a valid JSON object, this method will throw an error.

To encode a Luau table into a JSON object, use the HttpService:JSONEncode() method.

This method can be used regardless of whether HTTP requests are enabled.

This function has a custom internal state. It may behave in a non-standard way.
Thread safetySafe

History 7

Tags: [CustomLuaState]

JSONEncode

Parameters (1)
inputVariant
Returns (1)
string

This method transforms a Luau table into a JSON object or array based on the following guidelines:

  • Keys of the table must be either strings or numbers. If a table contains both, an array takes priority (string keys are ignored).

  • An empty Luau table ({}) generates an empty JSON array.

  • The value nil is never generated.

  • Cyclic table references cause an error.

    This method allows values such as inf and nan which are not valid JSON. This may cause problems if you want to use the outputted JSON elsewhere.

To reverse the encoding process and decode a JSON object, use the HttpService:JSONDecode() method.

This method can be used regardless of whether HTTP requests are enabled.

This function has a custom internal state. It may behave in a non-standard way.
Thread safetySafe

History 5

Tags: [CustomLuaState]

PostAsync

Parameters (5)Default
urlVariant
datastring
content_typeHttpContentTypeApplicationJson
compressboolfalse
headersVariant
Returns (1)
string

This method sends an HTTP POST request. It functions similarly to RequestAsync() except that it accepts HTTP request parameters as method parameters instead of a single dictionary and returns only the body of the HTTP response. Generally, this method is useful only as a shorthand and RequestAsync() should to be used in most cases.

When true, the compress parameter controls whether large request bodies will be compressed using gzip.

This function yields. It will block the calling thread until completion.
Thread safetyUnsafe

History 7

Tags: [Yields]

RequestAsync

Parameters (1)
requestOptionsDictionary
Returns (1)
Dictionary

This method sends an HTTP request using a dictionary to specify the request data, such as the target URL, method, headers, and request body data. It returns a dictionary that describes the response data received. Optionally, the request can be compressed using HttpCompression.

Request dictionary fields

NameTypeRequiredDescription
UrlStringyesThe target URL for this request. Must use http or https protocols.
MethodStringnoThe HTTP method being used by this request, most often GET or POST.
HeadersDictionarynoA dictionary of headers to be used with this request. Most HTTP headers are accepted here, but not all.
BodyStringnoThe request body. Can be any string, including binary data. Must be excluded when using the GET or HEAD HTTP methods. It might be necessary to specify the Content-Type header when sending JSON or other formats.
CompressHttpCompressionnoAn optional compression field that will compress the data in the request. The value can either be HttpCompression.None or HttpCompression.Gzip.

Supported HTTP methods

The HTTP request methods specify the purpose of the request being made and what is expected if the request is successful. For instance, the GET request method tells the server at the requested address that a resource is being requested and, if it succeeds, the resource at that address will be returned. Similarly, the HEAD request method does the same except the server knows to return a response without a Body element.

MethodDescriptionSafe
GET  The GET method requests the resource at the specified address. Does not support use of the Body parameter.Yes
HEAD  The HEAD method requests a response identical to a GET request, but with no response body. Does not support use of the Body parameter.Yes
POST  The POST method submits the supplied Body data to the requested address.No
PUT  The PUT method replaces all current iterations of the resource specified within the supplied Body data.No
DELETE  The DELETE method deletes the resource specified in the supplied Body data at the requested address.No
OPTIONS  The OPTIONS method requests the permitted communication options for the supplied address.Yes
TRACE  The TRACE method performs a message loop-back test along the path to the resource specified in the supplied Body data.Yes
PATCH  The PATCH method applies partial changes to the resource specified in the supplied Body data at the requested address.No

HTTP headers

In the request dictionary, you can specify custom HTTP headers to use in the request. However, some headers cannot be specified. For example, Content-Length is determined from the request body. User-Agent and Roblox-Id are locked by Roblox. Other headers like Accept or Cache-Control use default values but can be overridden. More commonly, some REST APIs may require API keys or other service authentication to be specified in request headers.

The RequestAsync() method does not detect the format of body content. Many web servers require the Content-Type header be set appropriately when sending certain formats. Other methods of HttpService use the HttpContentType enum; for this method set the Content-Type header appropriately: text/plain, text/xml, application/xml, application/json or application/x-www-form-urlencoded are replacement Content-Type header values for the respective enum values.

Response dictionary fields

RequestAsync() returns a dictionary containing the following fields:

NameTypeDescription
SuccessBooleanThe success status of the request. This is true if and only if the StatusCode lies within the range 200-299.
StatusCodeIntegerThe HTTP response code identifying the status of the response.
StatusMessageStringThe status message that was sent back.
HeadersDictionaryA dictionary of headers that were set in this response.
BodyThe request body (content) received in the response.

Error Cases

RequestAsync() raises an error if the response times out or if the target server rejects the request. If a web service goes down for some reason, it can cause scripts that use this method to stop functioning altogether. It is often a good idea to wrap calls to this method in pcall() and gracefully handle failure cases if the required information isn't available.

Limitations

The current limitation for sending and receiving HTTP requests is 500 requests per minute. Requests over this threshold will fail.

This function yields. It will block the calling thread until completion.
Thread safetyUnsafe

History 2

Tags: [Yields]

RequestInternal

Parameters (1)
optionsDictionary
Returns (1)
Instance
SecurityRobloxScriptSecurity
Thread safetyUnsafe

History 2

SetHttpEnabled

Parameters (1)
enabledbool
Returns (1)
null
SecurityRobloxScriptSecurity
Thread safetyUnsafe

History 5

UrlEncode

Parameters (1)
inputstring
Returns (1)
string

This method percent-encodes a given string so that reserved characters properly encoded with % and two hexadecimal characters.

This is useful when formatting URLs for use with HttpService:GetAsync()/HttpService:PostAsync(), or POST data of the media type application/x-www-form-urlencoded (Enum.HttpContentType.ApplicationUrlEncoded).

For instance, when you encode the URL https://www.roblox.com/discover#/, this method returns https%3A%2F%2Fwww%2Eroblox%2Ecom%2Fdiscover%23%2F.

Thread safetySafe

History 3

Settings