Steamworks Documentation
OAuth
OAuth allows partner sites and applications on embedded platforms to perform certain operations on behalf of authenticated Steam users in a secure manner.

To use OAuth, first you will need to obtain a Client ID from Valve. See Getting Started for more detail.

Some OAuth APIs also require a WebAPI publisher key to validate your identity as a Steam partner. These APIs can only be called from your servers, as the key cannot be shared with clients. Such APIs will be indicated by the presence of a key parameter.

WebAPI services with OAuth-enabled methods include: ICloudService, IBroadcastService, IGameNotificationsService, IPlayerService, and IPublishedFileService.

For the sake of illustration, http://redirect/uri/here will be used to represent the redirect URI.

Getting Started


Steam's implementation is based upon OAuth 2.0.
During your initial setup you will need to contact Valve with the following information:
  • What permissions you need the user to obtain. The required permissions are listed below with each API call.
  • The token lifetime.
  • The redirect URI to send the user back to after completing authentication/authorization.
In return, Valve will assign a Client ID for your implementation.

To authenticate a user, redirect the user to

https://steamcommunity.com/oauth/login?response_type=token&client_id=client_id_here&state=whatever_you_want

Adding &mobileminimal=1 to the above request is recommended for embedded browsers, as it removes some of the Steam site navigation UI that will not be relevant when the OAuth page is presented directly to a user within your game.

If you include the state parameter, it will be passed back to the redirect URI after the user has confirmed or denied access.

If the user grants access, they will be redirected back to you at

http://redirect/uri/here#access_token=token_here&token_type=steam&steamid=user_id_here&state=whatever_you_want

The token should be treated as an opaque string. Tokens are currently 32-character hexadecimal strings, but that is subject to change. The user ID is the 64-bit Steam ID of the user, in base 10.

If the user denies access, they will be redirected back to you at

http://redirect/uri/here#error=access_denied&state=whatever_you_want

Note that the response (including the token) is provided in the URI fragment, so it will need to be accessed client-side and passed back to your server if you need to do server-side requests.

Once you have the user's token, you can begin API requests as documented below.
Unless others noted below, requests should be HTTP POST requests presented as form data and should set this header:

Content-Type: application/x-www-form-urlencoded

Accessing Steam Cloud


To access Steam Cloud on behalf of a user, your OAuth client will need the read_cloud and/or write_cloud permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.

Once you have the OAuth token, use the ICloudService Steam WebAPI.

Accessing Steam Workshop


To access Steam Workshop on behalf of a user, your OAuth client will need the read_cloud and/or write_cloud permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.

Once you have the OAuth token, use the IPublishedFileService Steam WebAPI.