Steamworks Documentation
ICheatReportingService Interface
This service allows your game to report cheats and cheaters to the VAC system and provides the toolset behind the Game Bans system. It enables two independent workflows for detecting and managing cheating in your game:
  • Gather community reports of cheating and request bans/suspensions based upon this information.
  • Submit detailed information about known cheat software to the VAC system. Once processed, this information will be used to automatically detect and ban players using known cheats.

To use this interface you must first opt in to VAC support. This can be done from the Anti-Cheat Configuration page in the App Admin panel.

NOTE: This is a Service interface, methods in this interface should be called with the input_json parameter.

For more info on how to use the Steamworks Web API please see the Web API Overview.

ReportPlayerCheating

POST https://partner.steam-api.com/ICheatReportingService/ReportPlayerCheating/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64The Steam ID of the user who is being reported for cheating.
appiduint32The App ID for the game.
steamidreporteruint64(Optional) The Steam ID of the user or game server who is reporting the cheating.
appdatauint64(Optional) App specific data about the type of cheating set by developer. (ex 1 = Aimbot, 2 = Wallhack, 3 = Griefing)
heuristicbool(Optional) Extra information about the source of the cheating - was it a heuristic.
detectionbool(Optional) Extra information about the source of the cheating - was it a detection.
playerreportbool(Optional) Extra information about the source of the cheating - was it a player report.
noreportidbool(Optional) Don't return reportid. This should only be passed if you don't intend to issue a ban based on this report.
gamemodeuint32(Optional) Extra information about state of game - was it a specific type of game play or game mode. (0 = generic)
suspicionstarttimeuint32(Optional) Extra information indicating how far back the game thinks is interesting for this user. Unix epoch time (time since Jan 1st, 1970).
severityuint32(Optional) Level of severity of bad action being reported. Scale set by developer.

ReportPlayerCheating is designed to gather community reports of cheating, where one player reports another player within the game.

It is intended for unreliable data from peers in the game ( semi-trusted sources ). The back-end that reports the data should ensure that both parties are authenticated, but the data in itself is treated as hearsay. Optional parameters may be used to encode the type of cheating that is suspected or additional evidence ( an identifier pointing to the match/demo for further review )

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

RequestPlayerGameBan

POST https://partner.steam-api.com/ICheatReportingService/RequestPlayerGameBan/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64Steam ID of the user who is reported as cheating.
appiduint32The appid of the game.
reportiduint64The reportid originally used to report cheating.
cheatdescriptionstringText describing cheating infraction.
durationuint32Ban duration requested in seconds. (duration 0 will issue infinite - less than a year is a suspension and not visible on profile)
delaybanboolDelay the ban according to default ban delay rules.
flagsuint32Additional information about the ban request. (Unused)

Requests a game ban on a specific player.

This is designed to be used after the incidents from ReportPlayerCheating have been reviewed and cheating has been confirmed.

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

RemovePlayerGameBan

POST https://partner.steam-api.com/ICheatReportingService/RemovePlayerGameBan/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64The Steam ID of the user to remove the game ban on.
appiduint32The App ID of the game.

Remove a game ban on a player.

This is used if a Game ban is determined to be a false positive.

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

GetCheatingReports

GET https://partner.steam-api.com/ICheatReportingService/GetCheatingReports/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
appiduint32The App ID for the game.
timeenduint32The end of the time range. Formatted as Unix epoch time (time since Jan 1st, 1970).
timebeginuint32The beginning of the time range. Formatted as Unix epoch time (time since Jan 1st, 1970).
reportidminuint64Minimum reportID to include. (can pass 0 - end of previous report range)
includereportsbool(Optional) Include reports. If false includebans must be true.
includebansbool(Optional) Include ban requests? If false includereports must be true.
steamiduint64(Optional) Query just for this Steam ID.

Get a list of cheating reports submitted for this app.

Used to gather the cheating reports so that they may be reviewed and a determination made.

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

ReportCheatData

POST https://api.steampowered.com/ICheatReportingService/ReportCheatData/v1/
NameTypeRequiredDescription
keystringSteamworks Web API user authentication key.
steamiduint64Steam ID of the user running and reporting the cheat.
appiduint32The App ID of the game.
pathandfilenamestringPath and file name of the cheat executable.
webcheaturlstringWeb url where the cheat was found and downloaded.
time_nowuint64Local system time now. 64 bit windows system time.
time_starteduint64Local system time when cheat process started. ( 0 if not yet run ) 64 bit windows system time.
time_stoppeduint64Local system time when cheat process stopped. ( 0 if still running ) 64 bit windows system time.
cheatnamestringDescriptive name for the cheat.
game_process_iduint32Process ID of the running game.
cheat_process_iduint32Process ID of the cheat process that ran.
cheat_param_1uint64Extra cheat data.
cheat_param_2uint64Extra cheat data.

Reports cheat data. Only use on test account that is running the game but not in a multiplayer session.

This is for reporting specific cheats to the VAC system. This is done by running the cheat and the game and then calling this webapi.
NOTE: Because of this you should only use a test account on a disposable machine outside your network. You must also use a standard Web API key obtained from http://steamcommunity.com/developer for that test account, not a partner Web API key. After calling this, the system should be left idle for at least a half an hour so that VAC may fully scan the system. The test account will be flagged and not allowed to authenticate into multiplayer games in the future, so be sure to always use a test account that is for cheat reporting only.

If the call does not report success, then the report has been ignored.

Calling Example:
# requires python 2.7 import sys, os, time if sys.version_info >= ( 2, 7 ): # import argparse print "Found python 2.7 or greater" else: print "Must use python 2.7 or greater" exit() import urllib import urllib2 import json g_mapUniverseToWebapiServer = { 'public' : { 'host' : 'api.steampowered.com', 'port_http' : 80, 'port_https' : 443, }, } g_bReadied = False # get ready to issue webapi requests def readyAPIRequest( universe ): global g_bReadied # if proxy is needed enable here # WARNING: it is not recommended to use this from inside your LAN # because that would mean you are running cheats inside your LAN proxyneeded = 0 if proxyneeded == 1: urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler( {"http":"http://proxy.valvesoftware.com:80"} ) ) ) else: urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler({}) ) ) g_bReadied = True # perform a webapi request - currently assumes response is JSON # # you must pass # universe - string # interface - which interface are you calling # request - the name of the method # # optional parameters # method - GET or PUT # protocol - http or https # version - defaults to 0001 # timeout - defaults to 120 # # other keyword arguments supplied are used as parameters to the webapi; e.g. to use # a webapi key, 'key=0123456' def issueWebAPIRequest( universe=None, interface=None, request=None, method='GET', protocol='http', version='0001', timeout=120, **kwargs ): if not universe or not request or not interface: raise NameError( 'Need universe, interface, and request' ) if not g_bReadied: raise RuntimeError( 'call readyAPIRequest first to ensure the proxy is set' ) entry = g_mapUniverseToWebapiServer[] server = entry[] port = entry[] url = '%s://%s:%s/%s/%s/v%s/' % ( protocol, server, port, interface, request, version ) if method == 'GET': sep = '?' for kw in kwargs: url = url + sep + kw + '=' + str( kwargs[] ) sep = '&' rf = urllib2.urlopen( url, timeout=timeout ) else: rf = urllib2.urlopen( url, urllib.urlencode( kwargs ), timeout=timeout ) return json.load( rf ) def sendcheatreport(): readyAPIRequest( 'public' ) print "Current time is ",int(time.time()) # fill in defaults # steamid should look like 7XXXXXXXXXXXXXXX steamid = 0 # key should be a hex string key = '' # fill in your appid gameappid = 0 # init vars cheatprocid = 0 timecheatran = 0 cheatterminated = 0 timecheatstopped = 0 if steamid == 0: steamid = raw_input( 'Input steam ID: ' ) if not key: key = raw_input( 'Input web api key: ' ) if gameappid == 0: gameappid = raw_input( 'Input game appid: ' ) cheatnamestring = raw_input( 'Input cheat descriptive name: ' ) cheatpathstring = raw_input( 'Input full path to cheat file: ' ) webcheaturlstring = raw_input( 'Input full URL to cheat download page (optional): ' ) cheatfiletype = int(raw_input( 'Input 1 if .exe or input 2 if other file type: ' )) if cheatfiletype == 1: cheatprocid = raw_input( 'Input cheat process id (Input 0 if stopped or unsure): ' ) timecheatran = int(time.time()) cheatterminated = int(raw_input( 'Input 1 if cheat is still running or input 0 if it has stopped: ' )) timecheatstopped = int(time.time()) if cheatterminated == 1: timecheatstopped = 0 gameprocid = raw_input( 'Input game process id: ' ) print "sending webapi data now " print "steamid: ", steamid print "key: ", key print "gameappid: ", gameappid print "cheatnamestring: ", cheatnamestring print "cheatpathstring: ", cheatpathstring print "webcheaturlstring: ", webcheaturlstring print "cheatprocid: ", cheatprocid print "timecheatran: ", timecheatran print "timecheatstopped: ", timecheatstopped print "gameprocid: ", gameprocid # ready to go! results = issueWebAPIRequest( universe='public', interface='icheatreportingservice', request='reportcheatdata', key=key, protocol='https', method='POST', cheatname=cheatnamestring, appid=gameappid, game_process_id=gameprocid, cheat_process_id=cheatprocid, pathandfilename=cheatpathstring, webcheaturl=webcheaturlstring, time_now=int(time.time()), time_started=timecheatran, time_stopped=timecheatstopped, steamid=steamid ) print "webapi results:", results # clean up def main(): sendcheatreport() if __name__ == '__main__': main()

RequestVacStatusForUser

POST https://partner.steam-api.com/ICheatReportingService/RequestVacStatusForUser/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64The Steam ID of the user.
appiduint32The App ID of the game the user is playing.
session_iduint64The Session ID that was obtained from the call to StartSecureMultiplayerSession.

Checks a user's VAC ban status and verifies a user's VAC session status. If verification fails, then do not let the user matchmake into a secure game.

This is used before a user enters matchmaking or joins a game. If the player is blocking VAC in some way and VAC can not scan the computer for cheats, it will report success = true and session_verified = false. Checking this webapi will allow you to prevent the user from matchmaking or joining a server and then just getting kicked by VAC a short time later ( with a k_EAuthSessionResponseVACCheckTimedOut result from an authentication callback ). The VAC system may not always have had time to fully determine if the clients system is cooperating, and if so it will report success = false. It is also possible for the players system to pass the initial check but then fail to respond later, in that case verification will succeed, but a k_EAuthSessionResponseVACCheckTimedOut may follow later.


NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

Web API Sessions

NOTE: For games that have integrated Steam Authentication the following API calls should not be used. These games should use the ISteamUser interface P2P or Game Servers setup instead. Access to the following set of calls must be manually enabled by Valve and they are only to be used in games that handle user authentication completely independent of Steam.

StartSecureMultiplayerSession

POST https://partner.steam-api.com/ICheatReportingService/StartSecureMultiplayerSession/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64steamid of the user.
appiduint32The App ID of the game.

Tell the VAC servers that a secure multiplayer session has started.

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

EndSecureMultiplayerSession

POST https://partner.steam-api.com/ICheatReportingService/EndSecureMultiplayerSession/v1/
NameTypeRequiredDescription
keystringSteamworks Web API publisher authentication key.
steamiduint64steamid of the user.
appiduint32The App ID of the game.
session_iduint64The Session ID that was obtained from the call to StartSecureMultiplayerSession.

Tell the VAC servers that a secure multiplayer session has ended.

NOTE: This call requires a publisher API key to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

Response:
[
{
"name": "success",
"type": "bool",
"description": ""
}
]