Character Vault
Any Concept / Any System
Compendium
Your System Come To Life
Roll20 for Android
Streamlined for your Tablet
Roll20 for iPad
Streamlined for your Tablet

Personal tools

Mod:Sandbox Model

From Roll20 Wiki

Revision as of 19:16, 25 March 2021 by Andreas J. (Talk | contribs)

Jump to: navigation, search

Attention: Roll20 is no longer maintaining this document on the community wiki. For the most up-to-date information please visit this page on our help center for assistance: Here.


The Roll20 API functions by running a special server-side virtual machine for each campaign. This provides a sandbox where your custom scripts can run without any danger of them affecting other user's campaigns. In addition, this provides a layer of security which prevents a malicious GM from writing scripts which could do bad things like access a player's computer or stall their computer with an infinite loop.

How it Works

If you're curious in the technical details of how the API functions, here's a brief diagram:

'User-written scripts ===> API Server ===> Campaign Sandbox <===> Real-Time Sync Server

The Roll20 API Server listens for activity on your campaign. When it detects that people are using your campaign, it spins up a sandbox for your campaign and loads any API scripts that you have written into the sandbox. The sandbox can receive and send data directly to the real-time sync server, which allows it to respond to events and make changes to the game.

Restrictions from Normal Javascript

While Roll20 scripts are Javascript, there are some restrictions you should be aware of if you're used to programing Javascript for websites. Roll20 scripts are executed in a separate sandbox from the Roll20 site. This provides an additional layer of separation and security for our system and your players. This sandbox means that:

  • You cannot make HTTP Requests (AJAX).
  • You cannot load external scripts or libraries (e.g. jQuery).
  • The environment is Javascript, but it is not an environment in a browser, so there is no DOM, page elements, CSS, document, window, etc.

JavaScript used on character sheets have more or less the same restrictions. Read more: Sheetworkers.