Steam Authentication
Steam provides two primary methods for server-side player authentication. Both allow your game server to verify that a connecting player owns a valid Steam account and the game.
Recommended: Auth Tickets via Web API
Section titled “Recommended: Auth Tickets via Web API”ISteamUser::GetAuthTicketForWebAPI is the recommended method for authenticating players on a dedicated server. It was introduced in Steamworks SDK 1.57 and has broader support and fewer edge cases than older methods.
How It Works
Section titled “How It Works”- Game client calls
ISteamUser::GetAuthTicketForWebAPI(pchIdentity)with your game’s identity string - Client receives a callback with the ticket data
- Client sends the ticket to your game server (as part of the connection handshake)
- Game server sends the ticket to Steam’s Web API for verification:
GET https://api.steampowered.com/ISteamUserAuth/AuthenticateUserTicket/v1/?key=YOUR_WEB_API_KEY&appid=YOUR_APP_ID&ticket=HEX_ENCODED_TICKET
- Steam responds with the player’s Steam ID and ownership status
- Server confirms the identity and allows or rejects the connection
Server-Side Requirements
Section titled “Server-Side Requirements”- Your server needs a Steam Web API key (generated in Steamworks partner settings)
- The server makes an outbound HTTPS request to Steam’s API for each connecting player
- The API key should be stored as an environment variable, not in a config file (see Networking and Ports for guidance on sensitive data)
Key Considerations
Section titled “Key Considerations”- Verification requires an outbound internet connection from the server
- If Steam’s API is down, players cannot authenticate. Decide how your server handles this (reject all connections or allow a grace period)
- Each ticket is single-use. Do not cache or reuse tickets across sessions
Alternative: Encrypted Application Tickets
Section titled “Alternative: Encrypted Application Tickets”Encrypted Application Tickets provide offline verification. The ticket is encrypted with a key shared between Steam and your server, so the server can verify it without calling Steam’s API.
When to Use This
Section titled “When to Use This”- Your server cannot make outbound HTTP requests
- You need offline verification capability
- You’re building for environments with limited internet connectivity
Limitations
Section titled “Limitations”- More complex to implement (requires handling encryption/decryption)
- Can cause issues with games that have many DLCs, as DLC ownership data is embedded in the ticket and inflates its size
- Less widely documented and supported than Web API auth tickets
For most dedicated servers, the Web API method is simpler and more reliable.
Steam App Ticket vs. Session Ticket
Section titled “Steam App Ticket vs. Session Ticket”These are older authentication methods that predate GetAuthTicketForWebAPI. You may encounter them in legacy code or older documentation:
- Session Tickets (
GetAuthSessionTicket): Designed for peer-to-peer and listen server verification. Requires the Steamworks SDK on the server. Works, but more complex for dedicated servers. - App Tickets: Deprecated for new games.
For new implementations, use GetAuthTicketForWebAPI.
Steamworks Server API
Section titled “Steamworks Server API”If your server uses the Steamworks Game Server API (for server browser listing, VAC, etc.), you already have a Steam SDK context on the server. In this case, you can also use BeginAuthSession to verify session tickets directly without calling the Web API. This is useful if your server is already initializing Steamworks for other features.
Nodecraft Studio Integration
Section titled “Nodecraft Studio Integration”If you’re using Nodecraft Studio, the platform handles Steam authentication through the Player Ident system. Your server receives a pre-verified Server Authorization Token that confirms the player’s identity, access permissions, and ban status in one step.
See Steam Ident for details on providing your Steam API key to Nodecraft Studio.