Authentication
Lithos needs a Roblox ROBLOSECURITY cookie and an Open Cloud API key
for almost every deploy. Add S3 credentials only if you use
remote state.
Keep all credentials in environment variables or a project-root .env
file. Lithos loads .env next to your config automatically.
Credentials at a glance
| Credential | Used for | Required for |
|---|---|---|
ROBLOSECURITY | Legacy Roblox APIs (place uploads, configurations, social links). | Almost every deploy. |
LITHOS_OPEN_CLOUD_API_KEY | Roblox Open Cloud (asset uploads, place publishing). | Most deploys; required for asset uploads. |
LITHOS_AWS_ACCESS_KEY_ID / LITHOS_AWS_SECRET_ACCESS_KEY | S3 / Cloudflare R2 remote state. | Only when using remote state. |
LITHOS_AWS_INHERIT_IAM_ROLE | Use the ambient AWS role instead of explicit keys. | When deploying from AWS-managed compute. |
ROBLOX_OPEN_CLOUD_API_KEY and the legacy MANTLE_* names are also
accepted — see Migrating from Mantle.
ROBLOSECURITY
The same browser cookie Roblox uses for roblox.com (opens in a new tab) and Roblox Studio. Lithos tries to read it for you first:
- If Roblox Studio is signed in on this machine, Lithos can usually read the cookie from the OS keychain.
- Otherwise, set it explicitly:
export ROBLOSECURITY="…"A ROBLOSECURITY cookie is the equivalent of your Roblox password.
Never commit it. Add .env to .gitignore, and rotate the cookie if
it leaks.
Extracting the cookie manually
If automatic detection does not find the cookie:
- Sign in to roblox.com (opens in a new tab) in any modern browser.
- Open DevTools → Application → Cookies →
https://www.roblox.com. - Copy the value of the
.ROBLOSECURITYcookie. - In CI, store it as a secret named
ROBLOSECURITY.
LITHOS_OPEN_CLOUD_API_KEY
Use this in all new setups. ROBLOX_OPEN_CLOUD_API_KEY and the legacy
MANTLE_OPEN_CLOUD_API_KEY still work.
To create one:
- Open the Creator Hub credentials page (opens in a new tab).
- Create a new API key.
- Under Access Permissions, add the experiences this project deploys to.
- Grant the scopes Lithos needs:
universe-places:write— publishing places.asset:read,asset:write— uploading image and audio assets.
- Optionally restrict the key by IP.
LITHOS_OPEN_CLOUD_API_KEY="…"Deploy preflight checks this key before apply when it can — missing or mis-scoped keys fail early.
AWS credentials (remote state only)
If you use remote state, Lithos needs S3-compatible credentials with read/write access to the state object.
LITHOS_AWS_ACCESS_KEY_ID="…"
LITHOS_AWS_SECRET_ACCESS_KEY="…"For workloads running with an AWS role, set:
LITHOS_AWS_INHERIT_IAM_ROLE=1and Lithos will use the ambient role instead of explicit keys. R2-specific setup lives on Cloudflare R2 remote state.
Using a .env file
Lithos automatically loads .env from both the project root and the
current working directory. This is the recommended way to keep secrets
locally.
ROBLOSECURITY="…"
LITHOS_OPEN_CLOUD_API_KEY="…"
# Only if using remote state:
LITHOS_AWS_ACCESS_KEY_ID="…"
LITHOS_AWS_SECRET_ACCESS_KEY="…".env
.env.*In CI, inject the same values as repository secrets — see Continuous deployment.