HTTP Requests to external APIs using Secrets are not working

robl0xfif0 · August 7, 2025, 3:26pm

After the incident yesterday none of our experiences that use HTTP Requests seem to be working, including experiences that had no changes to them.

Expected behavior

We expect them to work as they did before.

A private message is associated with this bug report

Hooksmith · August 7, 2025, 3:28pm

Hey, can you please describe the issue in more detail and provide a repro case?

robl0xfif0 · August 7, 2025, 3:37pm

I cannot share our API Secret here, but the steps would be:

Use HTTP Service to make an API Call to an external API using HTTP Secrets in the X-API-Key header.

It works anywhere else (cURL, Postman, etc) — it doesn’t in Roblox.

Hooksmith · August 7, 2025, 3:41pm

Which endpoints are you hitting? Are these Roblox endpoints (Open Cloud via HttpService) or your own endpoints?

robl0xfif0 · August 7, 2025, 4:25pm

Oh well, turns out we found the issue … something in your system must have switched to http/2 and our endpoints were previously relying on clients sending case-sensitive headers whereas http/2 dropped support for that

we removed the case-sensitive insanity and it now works!

robl0xfif0 · August 7, 2025, 4:54pm

To be more specific, this is our code:

local requestData = { Url = url, Method = method, Headers = { ["Content-Type"] = "application/json", ["X-API-Key"] = API_KEY, }, }

Before: the header would be sent by the Roblox client as case-sensitive X-API-Key,
At some point (we didn’t pinpoint exactly when): the header started being sent by the Roblox client as case-insensitive x-api-key ignoring the case set by the Lua code,

Our system was case sensitive so things started failing silently and in a way we couldn’t tell until we enabled verbose logging and caught that small difference.

Our system has now been updated to accept headers as case insensitive and it is working again.

the_swegmeister · August 7, 2025, 8:49pm

Sorry for the inconvenience -
Yesterday, we enabled support for HTTP/2 if the server also supports HTTP/2. When using HTTP/2, header names are lowered automatically in accordance with RFC7540: RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2)
Since HTTP headers are also considered case-insensitive in HTTP/1.1, we didn’t anticipate this change causing issues for developers. Thank you for your work in debugging this issue, and we apologize for not giving advance notice about this feature release. We’ve since rolled back this functionality, so HTTP headers should work as they did before. We will make an announcement before launching this again; thanks!

system · August 21, 2025, 8:49pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.