Roblox SDK API Keys
SDK API keys are created per Roblox universe and are scoped to specific SDK capabilities.
Scopes
| Scope | Allows |
|---|---|
schedule:write | Register deterministic schedules |
event:report | Report live/manual events |
Keys are hashed at rest. RoControl stores only the hash and display prefix, so the full key is shown once when it is created or rotated.
Rotation
- Create or rotate the key in the game’s RoControl SDK panel.
- Copy the new key into
ServerStorage/RoControlConfig/ApiKey. - Publish the Roblox place update.
- Revoke the old key after servers have rolled.
Security rules
- Never commit keys to source control.
- Never put keys in replicated Roblox containers.
- Never log keys in backend, Studio, or game logs.
- Use the smallest set of scopes needed by the game.
If a key is exposed, revoke it immediately and rotate to a new key.