TALQENDocs

Security

Treat Talqen API keys like production secrets. The integration surface is designed for trusted server environments.

Server-side credentials

  • Call Talqen only from Roblox server Scripts or your backends
  • Never use LocalScripts for authenticated requests
  • Never place keys in ReplicatedStorage or client-replicated modules

Least privilege scopes

Request only the scopes your integration needs. Activity writes require activity:write. Reads require activity:read or staff:read as documented per endpoint.

Test and live separation

Use talqen_test_ keys against staging and talqen_live_ keys against production. Do not share secrets across environments.

Allowed universe IDs

Each developer application has an allowlist of Roblox universe IDs. Shift start rejects universes that are not allowlisted. An empty allowlist denies all universes.

Credential rotation

Rotate any credential that may have been exposed in Git, logs, screenshots, Discord, or client builds. Revoke first, then issue a replacement from the developer portal.

Safe retries and idempotency

  • Always send Idempotency-Key on shift mutations
  • Retry network failures with the same key for the same logical attempt
  • Respect 429 Retry-After before retrying

Request ID logging

Persist requestId with your own correlation IDs. Support needs request IDs, not secrets.