Secrets stores

Roblox offers a secrets store for each game. Secrets are sensitive information like API keys, passwords, and access tokens that you use to authenticate with external services. For example, if you want to connect to a third-party analytics or music service, you likely need to use an API key to authenticate with it.

You could copy and paste the API key into a script or add it to a data store, but those approaches carry unnecessary security risks. The better solution is to use the secrets store and access the key using a small set of secure methods.

Add secrets

To view, create, or edit secrets, you must be the game owner or group owner. You can have up to 500 secrets per game.

  1. Navigate to the Creator Dashboard.

  2. Select your game, and then select SecretsCreate Secret.

  3. Enter a name, the secret, and the applicable domain.

    • The name acts as a unique identifier for the secret, so we recommend something descriptive.
    • Secrets can be up to 1,024 characters in length. API keys and access tokens should come from the service provider, but if the secret is a password, you probably created it yourself.
    • You can use a limited wildcard syntax for the domain, such as * for any domain (not recommended) or *.example.com for any subdomain at example.com. Specific domains are even better, such as my.example.com.

Local secrets

For security reasons, the secrets store for each game is only available to live servers or collaborative testing environments. If you try to access a secret during local playtesting, you receive a Can't find secret with given key error. You receive an identical error if you try to access secrets from a client script.

To specify secrets for local testing, go to Studio and then go to FileExperience SettingsSecurity. You can create new secrets and edit or delete existing secrets in the Secrets section.

View, create, edit secrets with the Secrets UI. Add a new secret with name secretName1, value 123456, and restricted to domain *.example.com.

Use secrets

Before using secrets within your game, you must enable Allow HTTP Requests in the Security section of Studio's FileExperience Settings window. Then call HttpService:GetSecret() within a server script:


local HttpService = game:GetService("HttpService")
local testSecret = HttpService:GetSecret("test_secret")

Part of the appeal of using secret stores is that you can't accidentally print a secret. Instead of the secret itself, the following code outputs the name you provided when creating the secret:


print(testSecret) --> Secret(test_secret)

You can't manipulate the string directly. Instead, the Secret data type lets you add a prefix and suffix to the secret to help form a URL or insert content like Bearer:


local HttpService = game:GetService("HttpService")
local testSecret = HttpService:GetSecret("test_secret")
local prefix = "https://my.example.com/endpoint?apiKey="
local suffix = "&user=username"
local url = testSecret:AddPrefix(prefix)
url = url:AddSuffix(suffix)
print(url) --> https://my.example.com/endpoint?apiKey=Secret(test_secret)&user=username

After you have a URL with the secret inserted, you can make standard HTTP requests using methods like HttpService:RequestAsync(). Of course, you can ignore these methods and insert the secret directly into a header, too.

©2026 Roblox Corporation. Roblox, the Roblox logo and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.