exploit.today API
A free, public REST API that provides real-time Roblox version data and exploit status information. No authentication required.
Base URL
Endpoints at a glance
About
Version data is sourced directly from clientsettingscdn.roblox.com. Future version hints are shown only when they differ from the current version. Exploit status data is powered by WhatExpsAre.Online and individual exploit providers.
Access-Control-Allow-Origin: * — safe to call directly from a browser or any client.
Quickstart
Make your first API call in under a minute. No API key, no setup.
JavaScript
Python
curl
Rate Limits
The API is free and public. Please be reasonable with request frequency.
Responses include Cache-Control: public, max-age=10, stale-while-revalidate=20. Most HTTP clients will respect this automatically.
Windows Version
Returns the current Roblox client version for Windows, sourced directly from Roblox's client settings CDN.
No parameters required.
Response
Fields
| Field | Type | Description |
|---|---|---|
| platform | string | Always "Windows" |
| version | string | null | Current client version hash |
| bootstrapper_version | string | null | Bootstrapper build version |
| future | string | null | Upcoming version if known and different from current, otherwise null |
| source | string | Upstream data source URL |
| fetched_at | string | ISO 8601 timestamp of when data was fetched |
macOS Version
Returns the current Roblox client version for macOS, sourced directly from Roblox's client settings CDN.
No parameters required.
Response
Fields
| Field | Type | Description |
|---|---|---|
| platform | string | Always "macOS" |
| version | string | null | Current client version hash |
| bootstrapper_version | string | null | Bootstrapper build version |
| future | string | null | Upcoming version if known and different from current, otherwise null |
| source | string | Upstream data source URL |
| fetched_at | string | ISO 8601 timestamp of when data was fetched |
Get Exploit
Returns current status, version, and metadata for a specific exploit by name.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
| name | string | Exploit name (case-insensitive). See Exploit List for valid values. |
Response
Fields
| Field | Type | Description |
|---|---|---|
| title | string | Display name of the exploit |
| version | string | Current exploit version, or "N/A" |
| rbxversion | string | Supported Roblox version, or "N/A" |
| platform | string | Target platform |
| free | boolean | Whether the exploit is free |
| detected | boolean | true if currently detected by Roblox |
| updateStatus | boolean | true if updated for the current Roblox version |
| clientmods | boolean | Whether client mods are supported |
| websitelink | string | null | Official website URL |
| changelog | string | null | Latest changelog text if available |
| fetched_at | string | ISO 8601 fetch timestamp |
404 is returned with an available array listing valid names.
Exploit List
All exploit names accepted by /api/exploit/{name}. Names are case-insensitive.
| Name | Source | Free |
|---|---|---|
| xeno | x3no.pages.dev | free |
| rbxcli | rbxcli.dev | paid |
| madium | madium.net | free |
| cosmic | cosmic.best | paid |
| volt | WEAO | — |
| codex | WEAO | — |
| wave | WEAO | — |
| velocity | WEAO | — |
| solara | WEAO | — |
| potassium | WEAO | — |
Error Codes
All errors return JSON with an error field describing what went wrong.
| Status | Meaning |
|---|---|
| 200 | Success |
| 404 | Unknown route or unknown exploit name. Response includes available array for exploit lookups. |
| 502 | Upstream fetch failed — the data source did not respond or returned an error. |
| 500 | Internal worker error. Response includes a message field with details. |
Error response shape
Changelog
A record of changes to the exploit.today API.
v1.0.0 Jun 10, 2026
Initial public release.
GET /api/windows— Windows Roblox version via clientsettingscdnGET /api/macos— macOS Roblox version via clientsettingscdnGET /api/exploit/{name}— Exploit status- Future version hints from WEAO (hidden/same suppressed)
- CORS enabled on all routes
All Versions
Returns current and future Roblox version data for all platforms in a single request. Used by the exploit.today site's platform bar.
No parameters required.
Response
null when no future version is known or when it matches the current version.
All Exploits
Returns an array of all tracked exploits with their current status. Used by the exploit.today site's exploit cards.
No parameters required. Returns an array of exploit objects.
Response
uncPercentage, discordlink) are only present for certain exploits.
RbxCli
Returns current status and version for RbxCli, sourced directly from rbxcli.dev.
No parameters required.
Response
you are ' are automatically stripped from the response.
Madium
Returns current status and version for Madium, scraped from madium.net/changelog.html.
No parameters required.
Response
Cosmic
Returns current status and version for Cosmic, sourced from auth.cosmic.best/info.
No parameters required.