Who uses the Steam Web API

introduction

Steam provides an HTTP-based web API that you can use to access many Steamworks functions. The API comprises public methods that can be reached from any application that can send HTTP requests, for example game clients or game servers. The API also contains protected methods that require authentication and should only be called by trusted backend applications.

For example, Web API methods are often used by a secured publisher server for the following purposes:
  • Verification of the login data of a Steam user for this server
  • Checking the ownership status of a user for a specific application
  • Setting or retrieving a user's statistics, achievements, or leaderboard scores
  • Making an in-game purchase

For a complete list of everything the Steamworks Web API has to offer, see the documentation article Steamworks Web API Reference.

Inquiry format

The public Steamworks web API is accessed via HTTP requests (port 80) or HTTPS requests (port 443).
If you're a publisher, Steam also provides a partner-only web API server at. The purpose of this service is to have a higher availability than the public host. You should use this service for all requests made from your secured servers. See the documentation article Web API Host Addresses and Firewall Techniques for more information.

Similar to the Steamworks C ++ API, the Web API has been divided into several interfaces that contain associated methods. The URI format of each API request is:
https://api.steampowered.com///v/

Most methods support a list of required and optional parameters. Depending on the method, these parameters must be passed in the request as GET or POST parameters.

Transfer all requests with HTTP 1.1 and use a secure TLS connection if possible. The content type must be and the POST parameters must be in the standard URL encoding format within the body tags of the request. Text must be transmitted as UTF-8.

Authentication

Many web API methods have access restrictions that require a unique key. For more information, see the documentation article Authentication Using Web API Keys.

Array parameters

Some methods expect an array of parameters. This is indicated by a -Postfix in the parameter name. When passing arrays, there is always a parameter that specifies the number of parameters in the array. Example:
? count = 2 & name [0] = any name & name [1] = any other name

Service interfaces

In addition to the regular web API interfaces, there are service interfaces. These interfaces work very similarly to the regular interfaces; the main difference is that all service APIs take their arguments not only as GET or POST parameters, but also as a single JSON string. To pass data as a single JSON string, call the Web API method with the parameter set as follows:
? key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX & input_json = {"steamid": 76561197972495328}

Please note that the JSON data must be URL-encoded. As before, the "key" and "format" fields should still be passed as separate parameters. POST requests are also supported.

You can tell from the name of the interface whether a web API is a "service": If this name ends in "service" (as in IPlayerService, for example), then it supports the additional method of passing parameter data. Some service methods have parameters that are more complex and require this alternative input format.

Sample query

The following example gets the 3 most recent news items for Team Fortress 2.
The request specifies that the response should be returned in JSON format and contains the following: A required App ID parameter (Team Fortress 2 has App ID 440) and an optional Count parameter to specify the number of results to be returned restrict.

GET / ISteamNews / GetNewsForApp / v2 /? Appid = 440 & count = 3 \ r \ n Host: api.steampowered.com/r/n Content-Length: 0 \ r \ n \ r \ n

With the following link you can carry out this query and view its results:
https://api.steampowered.com/ISteamNews/GetNewsForApp/v2/?appid=440&count=3

You can read more information about this call here: ISteamNews / GetNewsForApp

Get the user's Steam ID

The Steamworks Web API identifies individual users based on their unique 64-bit Steam ID. For information on how to securely access a user's Steam ID, see the documentation article User Authentication and Ownership.

Web API host addresses and firewall procedures

Because the public web API () is behind Akamai's Edge Cache, the IP addresses you will see for the name will vary based on your location and recent service changes. The IP addresses can change quickly and fluently; read on if your web API calls were sent through an outbound firewall.

You should use the partner-only node () for all requests sent from your secured servers. This host has a few different properties than the public host:
  • This host can only be accessed via HTTPS.
  • This host is not behind Akamai's Edge Cache.
  • Any request to this host must be made with your Publisher Web API key, even requests that would not normally require a key. Requests made without a valid publisher key will return a 403 error code.
  • Requests that return status code 403 (often caused by the use of the normal Web API key instead of your publisher key) are subject to strict data transfer rate limits for the connection's IP address. This is an attempt to ensure high availability.
  • If you are sending requests to this API service from a host that has a firewall filter applied to outbound requests, you should add the DNS name "partner.steam-api.com" to your allow list. If your firewall only supports numeric addresses, then add the following CIDR block to the allow list:
    NOTE: You should not connect to the Web API servers by IP address; please use the DNS name. The addresses are only provided for those clients who have to add these addresses to the allowed list in their firewalls.

Approval of IP addresses

You can put IP addresses on an allow list for WebAPI calls. This is an extra layer of security in case your WebAPI key is compromised and ensures that only WebAPI calls from IP addresses on the allow list are successful. As soon as an IP is approved, all calls from addresses that are not on the approved list are blocked and you receive the error message 403 - Forbidden.

It's easy to put an IP address on the allow list. On any group page with a WebAPI key, please select the "Manage WebAPI key" button and follow the instructions.

Each WebAPI key has its own allow list. It is not necessaryTo put IP addresses on the allow list.

Note:Approval is no guarantee of the security of the WebAPI key. Protect your key. Don't share it. And change it immediately if it is compromised.