Flux

Reference

Security

Flux is for observability, not a secrets vault. The split SDK keeps project keys off the client.

API keys (server-only)

  • Never commit keys to public repos or paste them in public chats.
  • Call FluxServer.Init(apiKey) only from server code (typically once when your experience boots). The key must never appear in ReplicatedStorage, StarterPlayer, or any ModuleScript that a LocalScript can require.
  • FluxClient has no Init(apiKey) — clients forward structured events through FluxRemoteEvent; FluxServer is the only component that calls Flux over HTTP.
  • Rotate immediately on leak; update every place that called the old key.

Untrusted clients

Treat every RemoteEvent payload as hostile input. The Flux server module validates shape and size, applies per-player throttling, and derives player attribution from the Roblox Player instance — not from arbitrary fields clients send.

Payloads

Project members can read logs in the web app. Do not log tokens, cookies, keys, or PII you should not retain—prefer opaque ids.

Transport

Use https:// ingest URLs only; avoid long redirect chains. Architecture details: Architecture.