-
-
Notifications
You must be signed in to change notification settings - Fork 134
Access Tokens
v2.11.0 added the ability to use an access token rather than an API key to access the Steam WebAPI.
In October 2022, Valve launched an update to how authentication works on Steam. As part of this update, web session cookies are now access tokens, and those tokens can also be used to authenticate with (parts of) the Steam WebAPI.
Using an access token in this way is a byproduct of the way that the Steam mobile app works, and is not officially supported by Valve. As such, it may stop working at any time without warning.
When you call setCookies()
on a TradeOfferManager instance, TradeOfferManager parses your steamLoginSecure cookie and extracts the access token
from it. TradeOfferManager then makes a request to the API key page to retrieve
your account's API key.
If your account has no API key created yet, TradeOfferManager cannot create one for you because it requires mobile confirmation (a change made in late 2023). In this case, TradeOfferManager falls back to using your cookie access token and emits a warning informing you that it has done so.
At present (March 2024), this works just as well as using an API key. Access tokens do expire however, and when this happens the sessionExpired event will be emitted. However, this isn't much of a problem since you need valid cookies to send, accept, and cancel trade offers anyway.
If you want to explicitly opt into using access tokens rather than a WebAPI key, you can do so by passing true to
TradeOfferManager's useAccessToken option. If this option is enabled, then
TradeOfferManager will skip fetching an API key, will suppress the warning that's normally emitted when using access
tokens, and will use your access token for all WebAPI invocations.