Skip to main content

Steam API

Helpful links:

  • Steam Web API. Documentation for accessing user information.
  • Steam Web API Key, required for accessing the Steam Web API.
  • Steam Web API Documentation. This contains references to the OpenID Provider logic, allowing you to have someone log in under their Steam credentials to your website. This also contains the โ€œSign in through Steamโ€ icons they request that you use when using OpenID.


  • bhaberer/steam-api (Ruby)
  • Steam Condenser, a set of libraries for accessing the Steam Community API and game servers written in Source or GoldSrc. Available in Java, PHP, Ruby, and C#.

OpenID Authentication with Steamโ€‹

Steam uses OpenID 2.0.

Information here is heavily sourced from Matthew Steven Monkanโ€™s answer on Stack Overflow

Requesting OpenID Informationโ€‹

  • Create a URL with the following parameters:

    • URL:
    • openid.ns:
    • openid.claimed_id:
    • openid.identity:
    • openid.return_to: The URL on your website that you want to receive a GET request to
    • openid.realm: The domain part of the openid.return_to URL. This is what is displayed to the user when logging in on Steam
    • openid.mode: checkid_setup


  • After a user successfully logs in, Steam will issue a GET request to the openid.return_to URL you specified with several query parameters added:

    • openid.ns:
    • openid.mode: id_res
    • openid.op_endpoint:
    • openid.claimed_id:
    • openid.identity:
    • openid.return_to: The value of openid.return_to used in the original request
    • openid.response_nonce: 2020-08-27T04:44:16Zs4DPZce8qc+iPCe8JgQKB0BiIDI=
    • openid.assoc_handle: 1234567890
    • openid.signed: signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle
    • openid.sig: W0u5DRbtHE1GG0ZKXjerUZDUGmc=


Verifying The OpenID Informationโ€‹

To verify the provided information, issue an API call to Steam via a backend server as follows:

  • Take the URL that Steam redirected to
  • Swap out the initial host and path with
  • Replace openid.modeโ€™s value of id_res with check_authentication


A valid response will look like:


Because there is a nonce provided in the URL, this API call can only be made once; all subsequent other requests will always return is_valid:false, even if it was previously valid.