Skip to Content

Roblox SDK API Keys

SDK API keys are created per Roblox universe and are scoped to specific SDK capabilities.

Scopes

ScopeAllows
schedule:writeRegister deterministic schedules
event:reportReport live/manual events

Keys are hashed at rest. RoControl stores only the hash and display prefix, so the full key is shown once when it is created or rotated.

Rotation

  1. Create or rotate the key in the game’s RoControl SDK panel.
  2. Copy the new key into ServerStorage/RoControlConfig/ApiKey.
  3. Publish the Roblox place update.
  4. Revoke the old key after servers have rolled.

Security rules

  • Never commit keys to source control.
  • Never put keys in replicated Roblox containers.
  • Never log keys in backend, Studio, or game logs.
  • Use the smallest set of scopes needed by the game.

If a key is exposed, revoke it immediately and rotate to a new key.