OAuth allows partner sites and applications on embedded platforms to perform certain operations on behalf of authenticated Steam users in a secure manner.
To use OAuth, first you will need to obtain a
Client ID from Valve. See
Getting Started for more detail.
Some OAuth APIs also require a
WebAPI publisher key to validate your identity as a Steam partner. These APIs can only be called from your servers, as the key cannot be shared with clients. Such APIs will be indicated by the presence of a
key
parameter.
WebAPI services with OAuth-enabled methods include:
ICloudService,
IBroadcastService,
IGameNotificationsService,
IPlayerService, and
IPublishedFileService.
For the sake of illustration,
http://redirect/uri/here
will be used to represent the redirect URI.
Getting Started
Steam's implementation is based upon
OAuth 2.0.
During your initial setup you will need to contact Valve with the following information:
- What permissions you need the user to obtain. The required permissions are listed below with each API call. Note that if you are not planning on supporting cross-platform Cloud sync or Workshop support, we will not provide you with a Client ID.
- The token lifetime.
- The redirect URI to send the user back to after completing authentication/authorization.
In return, Valve will assign a
Client ID for your implementation.
To authenticate a user, redirect the user to
https://steamcommunity.com/oauth/login?response_type=token&client_id=client_id_here&state=whatever_you_want
Adding
&mobileminimal=1
to the above request is recommended for embedded browsers, as it removes some of the Steam site navigation UI that will not be relevant when the OAuth page is presented directly to a user within your game.
If you include the state parameter, it will be passed back to the redirect URI after the user has confirmed or denied access. Note that the authorization code grant type is also supported, by using the response_type=code during login.
If the user grants access, they will be redirected back to you at
http://redirect/uri/here#access_token=token_here&token_type=steam&state=whatever_you_want
The token should be treated as an opaque string. Tokens are currently 32-character hexadecimal strings, but that is subject to change. This API also includes a deprecated steamid parameter, which must be ignored. Please check
Retrieving the User's SteamID below for how to retrieve the user's SteamID securely.
If the user denies access, they will be redirected back to you at
http://redirect/uri/here#error=access_denied&state=whatever_you_want
Note that the response (including the token) is provided in the URI fragment, so it will need to be accessed client-side and passed back to your server if you need to do server-side requests.
Once you have the user's token, you can begin API requests as documented below.
Unless others noted below, requests should be HTTP POST requests presented as form data and should set this header:
Content-Type: application/x-www-form-urlencoded
Retrieving the User's SteamID
Once you have an OAuth token for a user, you can make a server to server call to securely get the SteamID for the user associated with that token by calling:
https://api.steampowered.com/ISteamUserOAuth/GetTokenDetails/v1/?access_token=token
Accessing Steam Cloud
To access Steam Cloud on behalf of a user, your OAuth client will need the
read_cloud
and/or
write_cloud
permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.
Once you have the OAuth token, use the
ICloudService Steam WebAPI.
Accessing Steam Workshop
To access Steam Workshop on behalf of a user, your OAuth client will need the
read_cloud
and/or
write_cloud
permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.
Once you have the OAuth token, use the
IPublishedFileService Steam WebAPI.