Steamworks Documentation
Web API Overview

Introduction

Steam exposes an HTTP based Web API which can be used to access many Steamworks features. The API contains public methods that can be accessed from any application capable of making an HTTP request, such as game client or server. The API also contains protected methods that require authentication and are intended to be accessed from trusted back-end applications.

As an example, Web API methods are commonly used by a secure publisher server to:
  • Verify a Steam user's credentials with that server
  • Check if a user owns a particular application
  • Set or retrieve a user's stats, achievements or leaderboard scores
  • Execute an in-game purchase

You can find a complete list of everything offered by the Steamworks Web API in the Steamworks Web API Reference.

Request Format

The public Steamworks Web API is accessed by making HTTP (port 80) or HTTPS (port 443) requests to api.steampowered.com.
If you're a publisher, then Steam also provides a partner-only Web API server hosted at https://partner.steam-api.com. The intent of this service is to have higher availability than the public host; you should use this service for all requests made from your secure servers. See Web API Host Addresses, Firewall Considerations for more information.

Similar to the Steamworks C++ API, the Web API has been divided into multiple interfaces that contain related methods. The URI format of each API request is:
https://api.steampowered.com/<interface>/<method>/v<version>/

Most methods support a list of required and optional parameters. Depending on the method, these parameters must be passed in as GET or POST params in the request.

All requests should be sent using HTTP 1.1 and use a secure TLS connection when possible. The Content-Type must be application/x-www-form-urlencoded and the POST parameters must be in the body of the request in standard form urlencoding format. Text must be transmitted as UTF-8.

Authentication

Many Web API methods have access restrictions which require a unique key, see Authentication using Web API Keys for more information.

Array Parameters

Some methods are expecting an array of parameters. This is specified by a [0] postfix on the parameter name. When passing arrays there will always be a count parameter that specifies the number of parameters in the array. For example:
?count=2&name[0]=SomeNameHere&name[1]=SomeOtherName

Service Interfaces

In addition to the regular web api calls are the service interfaces. These interfaces function very similarly to the regular interfaces, the primary difference being that all service APIs will accept their arguments as a single JSON blob in addition to taking them as GET or POST parameters. To pass in data as JSON, invoke the web API method with the input_json parameter set like:
?key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&input_json={"steamid":76561197972495328}

Note that the JSON will need to be URL-encoded. The "key" and "format" fields should still be passed as separate parameters, as before. POST requests are supported as well.

You can identify if a WebAPI is a "Service" by the name of the interface; if it ends in "Service" like IPlayerService, then it supports this additional method of passing parameter data. Some Service methods have parameters that have more complex structures and require this alternative input format.

Example Query

The following example retrieves the 3 most recent news entries for Team Fortress 2.
The request specifies that the response should be returned as JSON and includes: a required appid parameter (Team Fortress 2's AppID is 440), and an optional count parameter to limit the number of results returned.

GET /ISteamNews/GetNewsForApp/v2/?appid=440&count=3\r\n Host: api.steampowered.com/r/n Content-Length: 0\r\n\r\n

You can execute and view the results of this query with this link:
https://api.steampowered.com/ISteamNews/GetNewsForApp/v2/?appid=440&count=3

You can read more about this specific call here: ISteamNews/GetNewsForApp

Obtaining the User's SteamID

The Steamworks Web API identifies individual users by using the their unique 64-bit Steam ID. To learn how to securely obtain the user's Steam ID, see User Authentication and Ownership.

Web API Host Addresses, Firewall Considerations

The public Web API (api.steampowered.com) is behind Akamai's edge cache, so the actual IP addresses you will see for the name will vary based on your location and on ongoing service changes. The IPs can change rapidly and fluidly, so if your Web API calls are made through a firewall on outbound requests, read on.

You should be using the partner-only node (https://partner.steam-api.com) for all requests made from your secure servers. This host has some different properties than the public host:
  • This host is only accessible via HTTPS.
  • This host is not behind Akamai's edge cache.
  • Every request to this host must be made with your publisher Web API key, even requests which would ordinarily not need any key. Requests made without a valid publisher key will return a 403 error code.
  • Requests generating 403 status codes, which typically happens when using a regular Web API key instead of your publisher key, will incur strict rate limits for the connecting IP. This is in an effort to ensure high availability.
  • If you will be making requests to this API service from a host that has a firewall filter applied to outgoing requests, you should add the DNS name 'partner.steam-api.com' to your allow list. If your firewall only supports numeric addresses, add the following CIDR block to the allow list: 208.64.200.0/22.
    NOTE: You should not connect to the Web API servers by IP; please use the DNS name. These addresses are provided only for those clients who need to whitelist these addresses in their firewalls.

IP Address Whitelisting

We allow whitelisting of IP addresses for WebAPI calls. This is an added layer of security in the event that your WebAPI key is compromised, because it ensures that only WebAPI calls from whitelisted IP addresses will be successful. Once any IP is set to be whitelisted, all other requests from non-whitelisted addresses will be blocked and return a 403 - Forbidden response.

Adding IP addresses to the whitelist is easy. From any Group page that has a WebAPI key, click the "Manage WebAPI Key" button and follow the instructions.

Each WebAPI key has its own whitelist, and adding ip addresses to the whitelist is not required.

Note: Whitelisting does not guarantee WebAPI key security. Protect your key, do not share it, and change it immediately if it is compromised.