Steamworks Documentation
VAC Integration

Goals and methodology

The goal of VAC is to strongly discourage users from using cheat software by both having strong penalties if a user is caught cheating, and by making it hard for the cheating community to know if a cheat is actively being detected. VAC is a component of Steamworks and the Steam client, and works by scanning the users system for cheats while your game is running. It works a lot like a virus scanner, and has a database of known cheats to detect. Once a cheat has been detected, the user's account is marked for a delayed ban. A ban doesn't take effect immediately and instead is enforced a few days after the cheats are detected. Once a user ban is in effect, the user will no longer be able to connect to multi-player game servers that are marked as secure. Bans are tied to a user's account, so the only way for the user get un-banned is by creating a new Steam account, and buying another copy of the game.

When a user is VAC Banned, the following happens:
  • The account cannot join secure servers for the AppIDs they are banned
  • The ban is publicly displayed on their Steam Community profile
  • The account can no longer share VAC enabled games
  • If the user is accessing the game via Family Library Sharing, the ban is also applied to the actual owner of the game
More details can be found in our customer facing FAQs: Valve Anti-Cheat System (VAC) and I've been VAC banned.

Requirements

Multi-player
VAC depends on the game server to exclude VAC banned users from games. Thus it only works for multi-player games and does nothing for single player games.

VAC requires the Steamworks authentication APIs
Authentication must be enforced in the game client and server via the Steam Authentication APIs.

Enable Anti-Cheat APIs
This can be done from the Anti-Cheat Configuration page in the App Admin panel. These APIs must be enabled to apply Game bans and for VAC to detect cheats in your app.

An active developer looking for cheats
VAC only attempts to detect cheats reported by the developer. Valve does not actively seek out cheats either automatically or through manual digging. Please report cheats by using the ICheatReportingService/ReportCheatData Web API and with a notification to valveanticheat@valvesoftware.com so that we can characterize them and include them in our cheat detection.

Secure game servers

A "secure" game is one that doesn't allow convicted cheaters to play on it. Individual instances of your game can choose at run-time whether or not they are secure or insecure. It's up to your game to choose the policy on this, but typically games default to being secure with an option to let the user start the game as insecure. This separates the cheaters from the rest of your community while still letting them play the game. Only users connected to a secure server will be scanned for cheats.

Integration

VAC cheat detection is independent of your game client; that work is done by Steam. The game should use best practices and protect its assets and internal state. The game needs to use the Steamworks API to find out whether or not a user is VAC banned. There are 3 results returned in the ISteamUser::ValidateAuthTicketResponse_t callback from ISteamUser::BeginAuthSession that are specific to VAC. The VAC specific authentication results are:

Related Web APIs

See the Web API documentation for more information on how to use the following Web APIs.