Steam Web API Documentation

This is a static page that is automatically generated from GetSupportedAPIList using public and publisher keys. Additionally service methods are parsed from Steam client's protobuf files.

If you specify the web api key above, it will be stored in your browser, and will only be sent to Valve's API servers if you choose to do so.

Type a value in the value field and click the execute button to perform an API request in your browser.

This website is created and maintained by xPaw. Use any APIs listed here at your own risk.
I do not know how all of them work, this page is simply a reference.

If you know of an API that is not listed here, make a pull request to the file of undocumented APIs.

Source code for this page is also available on GitHub.

The Web API has three levels of access:

1. Public methods that return publicly accessible data and require no authentication.
2. Methods that require a user Web API key, available to anyone with a Steam account.
3. Protected methods that require a publisher Web API key and return sensitive data or perform protected actions.

The API key can be provided either as a key query parameter, or by setting the x-webapi-key HTTP request header.

Access tokens are used by Steam's own web pages (Store and Community) for authenticated users instead of Web API keys. Not all APIs support access tokens. Some only work with API keys, and some only work with access tokens. When provided, the access token is sent as the access_token parameter.

Steam also acts as an OpenID provider, allowing third-party sites to authenticate users via their Steam account without handling credentials directly.

Many API methods have undocumented rate limits that differ from method to method. When rate limited, the API will usually return HTTP status 429, or an x-eresult of 25 (LimitExceeded) or 84 (RateLimitExceeded).

Publisher Web API keys must be stored securely on your server and must not be distributed with game clients. All API requests containing keys should be made over HTTPS.

See Steamworks Authentication documentation for details on publisher key permissions and IP allow lists.

The public Steamworks Web API is hosted on https://api.steampowered.com or https://community.steam-api.com.

The public Web API host is accessible via HTTP (port 80) and HTTPS (port 443). Note that any requests using your publisher Web API key should be made over HTTPS.
This service is behind Akamai's edge cache, so the actual IP addresses you will see for the name will vary based on your location and on ongoing service changes.
The IPs can change rapidly and fluidly, so if your Web API calls are made through a firewall on outbound requests, read on.

Steam also provides a partner-only Web API server hosted on https://partner.steam-api.com. The intent of this service is to have higher availability than the public host; you should use this service for all requests made from your secure servers. This host has some different properties than the public host:

• This host is only accessible via HTTPS.
• This host is not behind Akamai's edge cache.
• Every request to this host must be made with your publisher Web API key, even requests which would ordinarily not need a key.
  Requests made without a valid publisher key will return a 403 error code.
• Requests generating 403 status codes will incur strict rate limits for the connecting IP. This is in an effort to ensure high availability. If you generate a sufficient number of requests within a certain time interval that return 403 status codes, either during testing, or by using a regular Web API key instead of your publisher key, the host will put your IP on a deny list for a while.

You should not connect to the Web API servers by IP; use the DNS name. If you need to configure firewall rules for outbound API requests, see the Steamworks Web API Overview for the current CIDR blocks.

Similar to the Steamworks C++ API, the Web API has been divided into multiple interfaces that contain related methods. The URI format of each API request is: https://api.steampowered.com/<interface>/<method>/<method_version>/

Parameters are passed as query string parameters for GET requests, or in the request body as application/x-www-form-urlencoded for POST requests. All requests must use UTF-8 encoding.

Array parameters use a zero-based index postfix notation (e.g., steamids[0], steamids[1]) with a corresponding count parameter specifying the array length.

Interfaces with names ending in "Service" accept arguments as a single JSON object via the input_json parameter (URL-encoded), or as base64-encoded protobuf binary via the input_protobuf_encoded parameter. The key and format parameters must be passed separately as query parameters, not inside the JSON.

See Steamworks Web API Overview for full request format details.

Steam supports returning Web API responses in multiple formats. By default, all responses are returned JSON encoded. However, each request can optionally contain a format parameter to specify the desired response format. The following values can be passed for this parameter: json, xml, vdf, and protobuf_raw.

• JSON (default): 64-bit numbers are returned as strings. Null values use JSON null.
• XML: Arrays use sub-elements, no XML attributes are used. Null is represented as the text "null".
• VDF (Valve Data Format): a KeyValues format used by Valve. Arrays use numeric keys as quoted strings. Null is an empty string.
• Protobuf (protobuf_raw): returns the response as binary protobuf.

A flexible solution should be used to parse Web API results as each method may return results in an arbitrary order.

Some API responses include x-eresult and x-error_message HTTP response headers indicating the result status. See steamerrors.com for a list of EResult values.

See Steamworks Web API Responses for additional details.