Unaffiliated

Home
Web API

Further links and information are available once you have signed up and logged into your account here

Steam exposes an HTTP based Web API which can be used to access many Steamworks features. The API contains public methods that can be accessed from any application capable of making an HTTP request, such as game client or server. The API also contains protected methods that require authentication and are intended to be accessed from trusted back-end applications.

As an example, Web API methods are commonly used by a secure publisher server to:

  • Verify a Steam user's credentials with that server
  • Check if a user owns a particular application
  • Set or retrieve a user's stats, achievements or leaderboard scores
  • Execute an in-game purchase

Request Format

The Steamworks Web API is accessed by making HTTP/HTTPS requests to api.steampowered.com. Similiar to the Steamworks C++ API, the Web API has been divided into multiple interfaces that contain related methods. The URI format of each API request is:
http://api.steampowered.com/<interface>/<method>/<method_version>/

A list of the currently supported interfaces and methods can be found by accessing GetSupportedAPIList. Some API methods that require an API key (described below) and are not listed by this method unless a valid key is provided.

Most methods support a list of required and optional parameters. Depending on the method, these parameters must be passed in as GET or POST params in the request. For each method, GetSupportedAPIList returns the following related elements:

  • httpmethod - the format parameters must be passed (GET or POST)
  • parameters - a list of all parameters supported by the method
  • parameter/name - the name of a parameter
  • parameter/optional - true if the parameter optional (failing to pass a required parameter will result in an HTTP 404 response)
  • version - the current method version. Must be formatted as v#### (v0001 for version 1)

All requests should be sent using HTTP 1.1 and use SSL v3, 128 bit encryption when appropriate. The Content-Type must be application/x-www-form-urlencoded and the POST parameters must be in the body of the request in standard form urlencoding format. Text must be transmitted as UTF-8.

Response Format

Steam supports returning Web API responses in multiple formats. By default, all responses are returned JSON encoded. However, each request can optionally contain a format parameter to specify the desired response format. The following values can be passed for this parameter: xml, json, and vdf.

A flexible solution should be used to parse Web API results as each method may return results in an arbitrary order.

API Keys

Some Web API methods return publicly accessible data and do not require authorization when called. Other methods may require clients to register for an API key and pass that in using the key parameter. There are also methods that return sensitive data or perform a protected action and require special access permissions. These APIs require a publisher key, which you will need to create before calling these APIs. To create one of these keys, please see Creating a Publisher Key below. If you don't require access to these special methods, you can register a regular API key from the registration page on the Steam Community.

Publisher Keys

To securely identify a publisher, and allow access to protected methods, a publisher may request a Web API key which can be passed to the appropriate methods using the key parameter. Each key is associated with a publisher group and can be used to access data for AppIDs that are also associated with that group. To receive a publisher Web API key, see Creating a Publisher Key below.

Web API keys provide access to sensitive user data and protected methods. These keys are intended to be used for Web API requests that originate from secure publisher servers. The keys must be stored securely, and must not be distributed with a game client. All Web API requests that contain Web API keys should be made over HTTPS.

Creating a Publisher Key

To create a publisher Web API key, you will need to have administrator permissions within an existing Steamworks partner account. If you are not an administrator yourself, you can see a list of administrators for your partner account by visiting your Steamworks Home Page and viewing the list on the right-hand side. Any one of them can create your Web API key or can promote you to admin if appropriate.

To create a Web API key:

  1. As a user with administrative rights in your Steamworks partner account, first visit your groups list.
  2. From the list of groups, select or create a group that contains the appIDs for which you wish to have access with the WebAPI key.
  3. Then click into that group to view the users and applications in that group.
  4. If you have administrative permissions, you should then see the option to "Create WebAPI Key" on the right-hand side. Or you should see the key listed if it has already been created.

Example Query

The following example retrieves the latest news for Team Fortress 2. The request specifies that the response should be returned as JSON and includes: a required appid parameter (Team Fortress 2's AppID is 440), and an optional count parameter to limit the number of results returned.

GET /ISteamNews/GetNewsForApp/V0001/?format=json&appid=440&count=3\r\n
Host: api.steampowered.com\r\n
Content-Length: 0\r\n \r\n

You can execute and view the results of this query with this link.

Obtaining the User's SteamID

Steamworks Web API methods identify users by the user's 64-bit SteamID. To learn how to securely obtain the user's SteamID, see Authentication & Ownership.

Web API Host Addresses, Firewall Considerations

The public Steamworks Web API is hosted on api.steampowered.com.

The public Web API host is accessible via HTTP (port 80) and HTTPS (port 443). Note that any requests using your publisher Web API key should be made over HTTPS. This service is behind Akamai's edge cache, so the actual IP addresses you will see for the name will vary based on your location and on ongoing service changes. The IPs can change rapidly and fluidly, so if your Web API calls are made through a firewall on outbound requests, read on.

Steam also provides a partner-only Web API server hosted on https://partner.steam-api.com. The intent of this service is to have higher availability than the public host; you should use this service for all requests made from your secure servers. This host has some different properties than the public host:

  • This host is only accessible via HTTPS.
  • This host is not behind Akamai's edge cache.
  • Every request to this host must be made with your publisher Web API key, even requests which would ordinarily not need a key. Requests made without a valid publisher key will return a 403 error code.
  • Requests generating 403 status codes will incur strict rate limits for the connecting IP. This is in an effort to ensure high availability. If you generate a sufficient number of requests within a certain time inveral that return 403 status codes — either during testing, or by using a regular Web API key instead of your publisher key — the host will put your IP on a deny list for a while.
  • If you will be making requests to this API service from a host that has a firewall filter applied to outgoing requests, you should add the DNS name 'partner.steam-api.com' to your allow list. If your firewall only supports numeric addresses, add the following CIDR block to the allow list: 208.64.202.0/24

You should not connect to the Web API servers by IP; please use the DNS name. These addresses are provided only for those clients who need to whitelist these addresses in their firewalls.


More Questions?

Ask questions on the Web API discussion forum

 

Valve Confidential

This restricted access site and content provided by it (code, documentation, etc.) is Valve confidential information. You must have a non-disclosure and/or license agreement covering confidential information with Valve to use or access this site