Steam exposes an HTTP based Web API which can be used to access many Steamworks features. The API contains public methods that can be accessed from any application capable of making an HTTP request, such as game client or server. The API also contains protected methods that require authentication and are intended to be accessed from trusted back-end applications.
As an example, Web API methods are commonly used by a secure publisher server to:
The Steamworks Web API is accessed by making HTTP/HTTPS requests to
api.steampowered.com. Similiar to the Steamworks C++ API, the
Web API has been divided into multiple interfaces that contain related methods. The URI format of each API request is:
A list of the currently supported interfaces and methods can be found by accessing GetSupportedAPIList. Some API methods that require an API key (described below) and are not listed by this method unless a valid key is provided.
Most methods support a list of required and optional parameters. Depending on the method, these parameters must be passed in as GET or POST params in the request. For each method, GetSupportedAPIList returns the following related elements:
httpmethod- the format parameters must be passed (GET or POST)
parameters- a list of all parameters supported by the method
parameter/name- the name of a parameter
trueif the parameter optional (failing to pass a required parameter will result in an HTTP 404 response)
version- the current method version. Must be formatted as v#### (v0001 for version 1)
All requests should be sent using HTTP 1.1 and use SSL v3, 128 bit encryption when appropriate. The Content-Type must be
application/x-www-form-urlencoded and the POST parameters must be in the body of the request in standard form urlencoding format.
Text must be transmitted as UTF-8.
Steam supports returning Web API responses in multiple formats. By default, all responses are returned JSON encoded. However, each request
can optionally contain a
format parameter to specify the desired response format. The following values can be passed
for this parameter:
A flexible solution should be used to parse Web API results as each method may return results in an arbitrary order.
Some Web API methods return publicly accessible data and do not require authorization when called. Other methods may
require clients to register for an API key and pass that in using the
key parameter. There are also methods
that return sensitive data or perform a protected action and require special access permissions. These APIs require a
publisher key, which you will need to create before calling these APIs. To create one of these keys, please see Creating a Publisher Key below.
If you don't require access to these special methods, you can register a regular API key from
the registration page on the Steam Community.
To securely identify a publisher, and allow access to protected methods, a publisher may request a Web API key which
can be passed to the appropriate methods using the
key parameter. Each key is associated with a publisher
group and can be used to access data for AppIDs that are also associated with that group. To receive a publisher Web API
key, see Creating a Publisher Key below.
Web API keys provide access to sensitive user data and protected methods. These keys are intended to be used for Web API requests that originate from secure publisher servers. The keys must be stored securely, and must not be distributed with a game client. All Web API requests that contain Web API keys should be made over HTTPS.
To create a publisher Web API key, you will need to have administrator permissions within an existing Steamworks partner account. If you are not an administrator yourself, you can see a list of administrators for your partner account by visiting your Steamworks Home Page and viewing the list on the right-hand side. Any one of them can create your Web API key or can promote you to admin if appropriate.
To create a Web API key:
The following example retrieves the latest news for Team Fortress 2. The request specifies that the response should be returned as JSON and includes: a required appid parameter (Team Fortress 2's AppID is 440), and an optional count parameter to limit the number of results returned.
GET /ISteamNews/GetNewsForApp/V0001/?format=json&appid=440&count=3\r\n Host: api.steampowered.com\r\n Content-Length: 0\r\n \r\n
You can execute and view the results of this query with this link.
Steamworks Web API methods identify users by the user's 64-bit SteamID. To learn how to securely obtain the user's SteamID, see Authentication & Ownership.
The public Steamworks Web API is hosted on
The public Web API host is accessible via HTTP (port 80) and HTTPS (port 443). Note that any requests using your publisher Web API key should be made over HTTPS. This service is behind Akamai's edge cache, so the actual IP addresses you will see for the name will vary based on your location and on ongoing service changes. The IPs can change rapidly and fluidly, so if your Web API calls are made through a firewall on outbound requests, read on.
Steam also provides a partner-only Web API server hosted on
https://partner.steam-api.com. The intent of this service is to have higher availability than
the public host; you should use this service for all requests made from your secure servers. This host has some different properties than the public host:
You should not connect to the Web API servers by IP; please use the DNS name. These addresses are provided only for those clients who need to whitelist these addresses in their firewalls.