roblox-oauth

When to Load

Load this skill when the task centers on Roblox OAuth 2.0 delegated authorization for Open Cloud — app registration, authorization code flow with PKCE, token exchange/refresh/revocation, scope selection, or OAuth-specific error debugging. Skip it for API-key automation, in-experience scripting, or general Open Cloud endpoint work (use roblox-cloud instead).

Quick Reference

Flow Selection

• Auth Code + PKCE — required for public clients (browser/mobile), recommended for all.
• Confidential — backend holds client_secret; never expose in frontend code.
• Public — no secret; PKCE mandatory.

PKCE Essentials

• Generate code_verifier (43–128 char random) + code_challenge (SHA-256, base64url).
• Send code_challenge + code_challenge_method=S256 in authorize; send code_verifier in token exchange.
• One verifier per authorization attempt.