In-experience HTTP requests

You can use HttpService to send generic HTTP requests to third-party web services for use cases like analytics, data storage, or error logging. HttpService also supports certain Open Cloud endpoints.

Enable HTTP requests

The HttpService:GetAsync(), HttpService:PostAsync(), and HttpService:RequestAsync() methods aren't enabled by default. To send requests, you must Allow HTTP Requests under Game Settings for your experience.

Use in plugins

You can use HttpService in Studio plugins to check for updates, download content, or other business logic. The first time a plugin attempts to use the service, the user might be prompted to give the plugin permission to communicate with the particular web address. Users can accept, deny, and revoke these permissions at any time through the Plugin Management window.

Plugins can also communicate with other software running on the same computer through the localhost and 127.0.0.1 hosts. By running programs compatible with such plugins, you can extend the functionality of your plugin beyond the normal capabilities of Studio, such as interacting with your computer's file system. Beware that such software must be distributed separately from the plugin itself and can pose security risks.

Use with Open Cloud

HttpService can currently call a subset of the Open Cloud endpoints. You can call these endpoints the same way that you'd call any other endpoint via HttpService. The only difference is that you must include an Open Cloud API key in the request:

1. Create an Open Cloud API key.
2. Save the API key to your secrets store.
3. Make the request.

The following code sample demonstrates how to update a user's group membership from within an experience:

local HttpService = game:GetService("HttpService")

local groupId = "your_group_id"
local membershipId = "your_membership_id"
local roleId = "your_role_id"

local function request()
	local response = HttpService:RequestAsync({
		Url = `https://apis.roblox.com/cloud/v2/groups/{groupId}/memberships/{membershipId}`,
		Method = "PATCH",
		Headers = {
			["Content-Type"] = "application/json", -- When sending JSON, set this!
			["x-api-key"] = HttpService:GetSecret("APIKey"), -- Set in Creator Hub
		},
		Body = HttpService:JSONEncode({ role = `groups/{groupId}/roles/{roleId}` }),
	})

	if response.Success then
		print("The response was successful:", response.StatusCode, response.StatusMessage)
	else
		print("The response returned an error:", response.StatusCode, response.StatusMessage)
	end
	print("Response body:\n", response.Body)
	print("Response headers:\n", HttpService:JSONEncode(response.Headers))
end

-- Wrap the function in pcall() for safety
local success, errorMessage = pcall(request)
if not success then
	print("The HTTP request failed to send:", errorMessage)
end

Supported Open Cloud endpoints

The following endpoints are supported. Due to current limitations on HttpService, the .. string is not allowed in URL path parameters to Roblox domains. This means, for example, that data stores and entries containing this string are currently inaccessible from HttpService.

Assets

• GetAsset
• ListAssetVersions
• GetAssetVersion

Bans and blocks

• ListUserRestrictions (Place)
• GetUserRestriction (Place)
• UpdateUserRestriction (Place)
• ListUserRestrictions (Universe)
• GetUserRestriction (Universe)
• UpdateUserRestriction (Universe)
• ListUserRestrictionLogs (Universe)

Creator Store

• CreateCreatorStoreProduct
• GetCreatorStoreProduct
• UpdateCreatorStoreProduct
• CreatorStoreAssetsSearch

Data and memory stores

Data stores:

• ListDataStores
• SnapshotDataStores
• ListDataStoreEntries
• CreateDataStoreEntry
• GetDataStoreEntry
• DeleteDataStoreEntry
• UpdateDataStoreEntry
• IncrementDataStoreEntry
• ListDataStoreEntryRevisions
• ListDataStoreEntries (With Scope)
• CreateDataStoreEntry (With Scope)
• GetDataStoreEntry (With Scope)
• DeleteDataStoreEntry (With Scope)
• UpdateDataStoreEntry (With Scope)
• IncrementDataStoreEntry (With Scope)
• ListDataStoreEntryRevisions (With Scope)

Memory stores:

• CreateMemoryStoreQueueItem
• DiscardMemoryStoreQueueItems
• ReadMemoryStoreQueueItems
• ListMemoryStoreSortedMapItems
• CreateMemoryStoreSortedMapItem
• GetMemoryStoreSortedMapItem
• DeleteMemoryStoreSortedMapItem
• UpdateMemoryStoreSortedMapItem
• FlushMemoryStore

Ordered data stores:

• ListOrderedDataStoreEntries
• CreateOrderedDataStoreEntry
• GetOrderedDataStoreEntry
• DeleteOrderedDataStoreEntry
• UpdateOrderedDataStoreEntry
• IncrementOrderedDataStoreEntry

Groups

• GetGroup
• ListGroupJoinRequests
• AcceptGroupJoinRequest
• DeclineGroupJoinRequest
• ListGroupMemberships
• UpdateGroupMembership
• ListGroupRoles
• GetGroupRole
• GetGroupShout

Inventories

• ListInventoryItems

Luau execution

• CreateLuauExecutionSessionTaskBinaryInput
• CreateLuauExecutionSessionTask
• CreateLuauExecutionSessionTask (with version)
• GetLuauExecutionSessionTask
• ListLuauExecutionSessionTaskLogs

Notifications

• CreateUserNotification

Places

• GetPlace
• UpdatePlace
• GetInstance
• UpdateInstance

Universes

• UpdateUniverse
• GetUniverse
• PublishUniverseMessage
• RestartUniverseServers

Users

• GetUser
• GenerateUserThumbnail

Limitations

• Only the x-api-key and content-type headers are allowed.
• The x-api-key header must be a Secret. See Secrets stores.
• The ".." string is not allowed in URL path parameters.
• Only the HTTPS protocol is supported.
• You cannot use port 1194 or any port below 1024, except 80 and 443. If you try to use a blocked port, you receive either a 403 Forbidden or ERR_ACCESS_DENIED error.

Rate limits

For each Roblox game server, there is a limit of 500 HTTP requests per minute. Exceeding this can cause request-sending methods to stall for around 30 seconds. Your pcall() may also fail with a message of Number of requests exceeded limit.

• Open Cloud requests consume the same overall limit of 500 HTTP requests per minute enforced on all other requests.
• Each endpoint has its own limit per API key owner (can be a user or a group) that is enforced no matter where the calls come from (HttpService, the web, etc.).

For detailed information about Open Cloud rate limits, authentication-based rate limiting, and best practices, see Rate Limits.

Additional considerations

• Web requests can fail for many reasons. Use pcall() and have a plan for when requests fail.
• Requests should provide a secure form of authentication, such as a pre-shared secret key, so that bad actors cannot pose as one of your Roblox game servers.
• Be aware of the general capacity and rate-limiting policies of the web servers to which requests are being sent.