Register your application in the Roblox Creator Dashboard to obtain a client ID and configure redirect URIs
Build the authorization URL pointing to https://authorize.roblox.com with query parameters for client_id, redirect_uri, response_type=code, scope, and a PKCE code_challenge
Redirect the user to the authorization URL; after consent, Roblox redirects back with an authorization code
Exchange the code for tokens by POSTing to https://apis.roblox.com/oauth/v1/token with grant_type=authorization_code, the code, and code_verifier
Use the returned access token (valid 15 minutes) in the Authorization header for API calls; use the refresh token (valid 90 days) to obtain new access tokens without re-prompting the user
Known gotchas
Access tokens expire after 15 minutes; build refresh token rotation into your server from the start or users will be frequently re-prompted
The universe-messaging-service:publish scope is required for the Messaging Service API; omitting it results in a 403 when publishing even with a valid token
PKCE is strongly recommended; Roblox's OAuth2 implementation supports it and it mitigates authorization code interception attacks in mobile or desktop app flows
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp