Steamworks-dokumentation
OAuth
OAuth allows partner sites and applications on embedded platforms to perform certain operations on behalf of authenticated Steam users in a secure manner.

To use OAuth, first you will need to obtain a Client ID from Valve. See Getting Started for more detail.

Some OAuth APIs also require a WebAPI publisher key to validate your identity as a Steam partner. These APIs can only be called from your servers, as the key cannot be shared with clients. Such APIs will be indicated by the presence of a key parameter.

WebAPI services with OAuth-enabled methods include: ICloudService, IBroadcastService, IGameNotificationsService, IPlayerService, and IPublishedFileService.

For the sake of illustration, http://redirect/uri/here will be used to represent the redirect URI.

Getting Started


Steam's implementation is based upon OAuth 2.0.
During your initial setup you will need to contact Valve with the following information:
  • What permissions you need the user to obtain. The required permissions are listed below with each API call. Note that if you are not planning on supporting cross-platform Cloud sync or Workshop support, we will not provide you with a Client ID.
  • The token lifetime.
  • The redirect URI to send the user back to after completing authentication/authorization.
In return, Valve will assign a Client ID for your implementation.

To authenticate a user, redirect the user to

https://steamcommunity.com/oauth/login?response_type=token&client_id=client_id_here&state=whatever_you_want

Adding &mobileminimal=1 to the above request is recommended for embedded browsers, as it removes some of the Steam site navigation UI that will not be relevant when the OAuth page is presented directly to a user within your game.

If you include the state parameter, it will be passed back to the redirect URI after the user has confirmed or denied access. Note that the authorization code grant type is also supported, by using the response_type=code during login.

If the user grants access, they will be redirected back to you at

http://redirect/uri/here#access_token=token_here&token_type=steam&state=whatever_you_want

The token should be treated as an opaque string. Tokens are currently 32-character hexadecimal strings, but that is subject to change. This API also includes a deprecated steamid parameter, which must be ignored. Please check Retrieving the User's SteamID below for how to retrieve the user's SteamID securely.

If the user denies access, they will be redirected back to you at

http://redirect/uri/here#error=access_denied&state=whatever_you_want

Note that the response (including the token) is provided in the URI fragment, so it will need to be accessed client-side and passed back to your server if you need to do server-side requests.

Once you have the user's token, you can begin API requests as documented below.
Unless others noted below, requests should be HTTP POST requests presented as form data and should set this header:

Content-Type: application/x-www-form-urlencoded

Retrieving the User's SteamID

Once you have an OAuth token for a user, you can make a server to server call to securely get the SteamID for the user associated with that token by calling:

https://api.steampowered.com/ISteamUserOAuth/GetTokenDetails/v1/?access_token=token

Accessing Steam Cloud


To access Steam Cloud on behalf of a user, your OAuth client will need the read_cloud and/or write_cloud permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.

Once you have the OAuth token, use the ICloudService Steam WebAPI.

Accessing Steam Workshop


To access Steam Workshop on behalf of a user, your OAuth client will need the read_cloud and/or write_cloud permission(s).
These permissions are scoped by AppId, so make sure to specify all AppIds which should be include when creating your Client ID.

Once you have the OAuth token, use the IPublishedFileService Steam WebAPI.