Skip to main content

Authentication and limits

Base URL:

https://api.guardyn.xyz

Send the complete workspace API key in the x-api-key header:

x-api-key: gdn_live_REDACTED
content-type: application/json

Roblox requires the header value to be a Secret. Guardyn also accepts Authorization: Bearer and x-guardyn-key for non-Roblox server integrations, but x-api-key is the supported Roblox form.

Key lifecycle

  • The complete key is returned once at creation.
  • Guardyn stores a keyed hash and a short display prefix.
  • Revocation is immediate.
  • A workspace may have more than one active key during rotation.
  • Create the replacement, update the Roblox Secret, verify traffic on the new key, then revoke the old key.

Limits

  • 600 authenticated API requests per key per minute.
  • 30 invalid-key attempts per source IP hash per minute.
  • Report bodies: 128 KiB maximum.
  • Restriction-check bodies: 16 KiB maximum.
  • Report text and each context message: 1,000 characters maximum.
  • Context: four messages maximum.

Plan report allowances are counted per workspace from the start of each UTC calendar month.