API & OAuth 2.0 Usage Policy

1) Independent Service — No Roblox Affiliation

UniClover is not affiliated with, endorsed by, or sponsored by Roblox Corporation. All Roblox names, trademarks, services, and related assets belong to their respective owners. Where Roblox authentication is used, it is performed only through official Roblox-controlled systems.

2) Purpose of OAuth Usage

Roblox OAuth 2.0 is used exclusively to:

• Verify user identity.
• Link a Roblox account to the Service.
• Enable account-specific features.
• Create or resume an authenticated UniClover session.
• Prevent fraud, impersonation, replay, token misuse, and unauthorized account linking.
• Support legitimate competitions, community features, and account security workflows.

OAuth authorization occurs only after explicit user action and Roblox-controlled consent. By default, the Service requests only openid profile, does not ask for your Roblox password, and does not request broader scopes unless a specific Service feature requires them and the user is clearly informed.

3) How the OAuth Flow Works

The UniClover OAuth flow is designed to be narrow, transparent, and resistant to abuse.

• The user initiates sign-in from an official UniClover website or client surface.
• The user is redirected to official Roblox authorization pages.
• UniClover validates the returning authorization response against the expected client, state value, verifier, and approved redirect URI.
• Only after those checks succeed does UniClover complete account linking or session establishment.

If a response appears tampered with, replayed, expired, mismatched, or otherwise inconsistent with the expected flow, UniClover may invalidate the transaction, require a fresh sign-in, or refuse to continue the login process.

4) Data Received via OAuth

Depending on permissions granted, UniClover may receive:

• Roblox User ID, username, display name, profile URL, and picture.
• Authorization codes, PKCE-related state data, linked-account identifiers, approved redirect context, and consented scopes.
• Access tokens, and refresh tokens where a client surface uses them for session continuity.
• Authorization timestamps, session metadata, error events, revocation or expiration outcomes, and security events related to the sign-in flow.

No Roblox password, password-equivalent credential, or recovery secret is collected by the Service. On the website, access tokens are used only to complete the sign-in flow and are then discarded. Some official client apps may retain tokens locally on the device, with access controls, so the session can continue or be refreshed.

5) Data Usage Restrictions

Data obtained through OAuth is used solely for legitimate Service operation, including authentication, session management, security, anti-fraud controls, user-requested functionality, and compliance with legal obligations.

OAuth data is not used for:

• Selling or trading personal data.
• Advertising or profiling unrelated to the Service.
• Unauthorized data aggregation.
• Surveillance or tracking across unrelated services.
• Collecting credentials through imitation login pages or non-official flows.
• Performing hidden or unauthorized actions on Roblox or third-party accounts.

6) Token and Session Security

• Approved client IDs and allow-listed redirect URIs only.
• Minimum necessary scopes for sign-in and linked-account features.
• PKCE (S256) with one-time state and verifier usage.
• Secure session handling and mismatch / replay rejection.
• Secure storage with access controls.
• Encryption in transit.
• Limited internal access.
• Automatic expiration handling and revocation awareness.
• Immediate revocation, expiration handling, or deletion when data is no longer needed.

Where appropriate, UniClover may invalidate, repeat, or refuse a login flow if the response appears inconsistent with the expected state, verifier, redirect URI, client surface, or account-linking context.

7) User Control

Users may revoke access at any time through their Roblox account settings or by disconnecting the account inside UniClover where such a control is available. Revocation, expiration, logout, or removal of local authentication state may disable certain Service features and may require the user to sign in again.

8) Prohibited API Uses

The Service does not:

• Impersonate Roblox or any third party.
• Bypass platform security controls.
• Scrape restricted data.
• Automate actions on behalf of users without consent.
• Use bots to interact with Roblox systems.
• Reuse intercepted authorization codes or tokens outside the intended flow.
• Accept arbitrary redirect URIs or weakened authentication parameters.
• Exploit vulnerabilities, undocumented endpoints, or hidden platform behavior.

9) Fair Competition Enforcement

API access is not used to manipulate gameplay, rankings, rewards, or competition outcomes. Automation, abuse, or technical misuse that provides an unfair advantage is strictly prohibited.

10) Compliance with Platform Policies

UniClover is designed to comply with:

• Roblox Terms of Use.
• Roblox Developer and API policies.
• Applicable data protection laws, including UK GDPR and EU GDPR where relevant.
• Industry-standard security practices proportionate to the Service.

11) Service Providers

We may use trusted infrastructure, hosting, security, and backend support providers to operate the Service. Such providers process data only on our behalf, for defined purposes, and under appropriate safeguards.

12) Changes to This Policy

We may update this policy from time to time to reflect technical, operational, security, or legal changes. The revised version becomes effective when posted, unless a different effective date is stated.

13) Contact Information