Sign in with Roblox

An optional one-click verification method that runs alongside the profile-code flow. When enabled, members see a method picker on the verify page.

Fastest path

If the member is already signed in to Roblox, verification is two clicks and no copy-pasting.

PKCE, no secrets in the browser

We use the OAuth 2.0 Authorization Code flow with PKCE. The code is exchanged for tokens server-side.

Password-free

Roblox handles the login on their own domain. We only receive your Roblox user ID, username, and display name.

Enabling it (server owner)

OAuth is configured once at the platform level by whoever hosts MGS Link. If you self-host:

  1. Open create.roblox.com → Open Cloud → OAuth 2.0 Apps and create an app.
  2. Set the redirect URI to https://app.mgslink.lol/api/auth/roblox/callback.
  3. Request the openid and profile scopes.
  4. Paste the client ID and secret into the dashboard environment as ROBLOX_OAUTH_CLIENT_ID and ROBLOX_OAUTH_CLIENT_SECRET, then redeploy.

When those values are present, the “Sign in with Roblox” option appears automatically. If they're blank, the verify page quietly falls back to profile-code only.

How it flows

  1. The member clicks “Sign in with Roblox” on the verify page.
  2. We generate a PKCE verifier + state, store them against the verification session, and redirect to Roblox.
  3. Roblox authenticates the member and redirects back to our callback.
  4. We validate the state, exchange the code for tokens server-side, and read the member's Roblox identity from the userinfo endpoint.
  5. The link is created, plan limits are checked, and a role-sync job is queued — same as the profile-code path from there on.
Next · Role sync