Profile-code verification

The default verification method. Designed to be the lowest-friction path that doesn't require any unsafe data from your members. For a one-click alternative, see Sign in with Roblox.

How it works

  1. The user runs /verify in your server.
  2. MGS Link generates a short code in the form MGS-XXXX-XXXX-XXXX using a 30-character ambiguous-free alphabet (no I, L, O, 0, 1).
  3. The bot replies ephemerally with a Components v2 prompt containing the code, a copy button, the verification page link, and a live countdown.
  4. The user pastes the code into their Roblox profile description, returns to the verification page, and enters their Roblox username.
  5. Our backend resolves the username, fetches the description from users.roblox.com/v1/users/{id}, and confirms the code is present.
  6. The user/account link is created and a role-sync job is queued.

15-minute expiry

Sessions expire automatically. Resend gets a fresh code without invalidating other in-flight verifications.

Single use, bound to (guild, user)

A token can only be redeemed once and only by the Discord user it was created for. Replay attacks fail.

Server-side validation

Our backend reads the Roblox profile description through the public API and matches the code. The browser never decides whether you're verified.

What we never ask for

  • • Your Roblox password.
  • • Your .ROBLOSECURITY cookie.
  • • Two-factor codes.
  • • Email or any other private profile information.

The only data we read is what's already public on your Roblox profile.

Common failures

"Code not found in profile"
The user pasted into status or About instead of the description. Verification only checks the description field.
"Roblox username not found"
They entered display name. Use the underscore-friendly username, not the display name.
"Session expired"
Codes are valid for 15 minutes. Run /verify again to get a fresh one.
Next · Role sync