Authentication

Quick Start

Steam Authentication allows your game to verify the identity of a user via Steam's backend services. It is commonly used for multiplayer games, server access control, and web API integration. The system issues authentication tickets that can be validated by other clients, game servers, or your own backend.

You should use Steam Authentication when:

You need to verify a player's identity in multiplayer sessions.
You want to authenticate users with your backend or web services.
You're integrating with Steam Web API endpoints that require proof of identity.

You don’t need to use Steam Authentication when:

Your game is entirely single-player and doesn’t rely on server-side identity checks.
You're using Steam only for basic platform features like achievements or cloud saves.

Authentication is handled entirely via Steamworks API and does not require any setup in the Steamworks Developer Portal.

Examples

Get Ticket

When requesting an authentication ticket, you must specify the intended recipient of the ticket—this is referred to as the "identity." The identity is who the ticket is for, not who is generating it. This means you should provide the Steam ID of the server, user, or Web API key that will receive and validate the ticket, not your own ID.

Code Free

Not applicable

C#

To get a ticket for use by a User or Steam Game Server, you will provide that user's or server's ID

// Remember, a UserData is compatible with a CSteamID
UserData networkHost; // set this to the host's UserData/ID

Authentication.GetAuthSessionTicket(networkHost, (TicketResponse, IOError) =>
{
    if(!IOError && TicketResponse.Result == EResult.k_EResultOK)
    {
        // Send TicketResponse.Data to your networkHost to use
    }
});

Blueprint

Keep in mind that the Game Server and User versions are different. So if you are doing this from a Dedicated server that has initialised Steam Game Server ... then use the Steam Game Server version.

In most cases, e.g., when running from a client build or Listen Server, you would use the User versions.

Note that the Web Auth Session Ticket request is asynchronous, while the standard request is not.

C++

TArray<uint8> buffer;
buffer.SetNumUninitialized(1024);
uint32 BytesWritten = 0;
SteamNetworkingIdentity Id{};
Id.m_eType = ESteamNetworkingIdentityType::k_ESteamNetworkingIdentityType_SteamID;
Id.SetSteamID(forSteamId);

HAuthTicket handle = SteamUser()->GetAuthSessionTicket(buffer.GetData(), 1024, &BytesWritten, &Id);

// A temp buffer to hold the max value
var array = new byte[1024];
// Will tell us the actual length
uint m_pcbTicket;
// Retain the handle for later use
var Handle = SteamUser.GetAuthSessionTicket(array, 1024, out m_pcbTicket, ref forIdentity);
// Trim the array to match the actual size
Array.Resize(ref array, (int)m_pcbTicket);

Begin Session

When you receive a ticket from a user, you use it by calling Begin Auth Session. This function first checks the ticket’s structure for validity. If the structure is valid, Steam processes the ticket on the backend, performs authentication, and returns the result to you.

Code Free

Not Applicable

C#

byte[] Data;
UserData UserItsFrom;

var RequestResult = Authentication.BeginAuthSession(Data, UserItsFrom, Session =>
{
    // This only runs if the RequestResult was okay
    // Session.User = who this session is with
    // Session.GameOwner = who owns the App they are playing on
    //                     this can be different than user if they are 
    //                     barrowing the game such as Family Sharing
    // Session.Data = this is the ticket data that was validated
    // Session.Response = this is an enumerator that tells you the status of
    //                    the request
    // Session.Barrowed = the game is barrowed e.g. User and GameOnwer dont match
    
    // Here is an example of testing the Response
    switch(Session.Response)
    {
        case EAuthSessionResponse.k_EAuthSessionResponseOK:
            // Steam has verified the user is online, 
            // the ticket is valid and ticket has not been reused.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseUserNotConnectedToSteam:
            // The user in question is not connected to steam.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseNoLicenseOrExpired:
            // The license has expired.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseVACBanned:
            // The user is VAC banned for this game.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseLoggedInElseWhere:
            // The user account has logged in elsewhere and 
            // the session containing the game instance has been disconnected.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseVACCheckTimedOut:
            // VAC has been unable to perform anti-cheat checks on this user.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketCanceled:
            // The ticket has been canceled by the issuer.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketInvalidAlreadyUsed:
            // This ticket has already been used, it is not valid.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketInvalid:
            // This ticket is not from a user instance currently connected to steam.
            break;
        case EAuthSessionResponse.k_EAuthSessionResponsePublisherIssuedBan:
            // The user is banned for this game. 
            // The ban came via the web api and not VAC
            break;
        case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketNetworkIdentityFailure:
            // The network identity in the ticket does not match 
            // the server authenticating the ticket
            break;
    }
});

// Before the callback runs, this code will run and tell us if the structure
// of the ticket provided is valid and matches the user and app
if(RequestResult != EBeginAuthSessionResult.k_EBeginAuthSessionResultOK)
{
    // If it is not "OK" then the callback will never run
    // The RequestResult tells you what is not OK about it
}

Blueprint

Be aware of the Client vs Steam Game Server versions

C++

In the example below, we are assuming your input Ticket came in as a TArray<uint8> so we need to convert that to a traditional uint8 array for Steam.

USteamToolsSubsystem* Subsystem = GEngine->GetWorld()->GetGameInstance()->GetSubsystem<USteamToolsSubsystem>();
FBeginAuthSessionCallbackDelegate callback;
callback.BindUFunction(this, FName("SteamCallback"));

Subsystem->BeginAuthRequests.Add(Request.User, callback);

int32 TicketLength = Ticket.Num();
const uint8* TicketData = Ticket.GetData();

EBeginAuthSessionResult result = SteamUser()->BeginAuthSession(TicketData, TicketLength, INT64_TO_STEAMID(Request.User));

We are also using Heathen's Steam Tools Subsystem to handle the callback. In this case, the input function is expected to take the form of:

void UYourClass::SteamCallback(const int64 User, const int64 Owner, const UEAuthSessionResponse Response)
{
    // Do Work
}

// Register the callback somewhere permanent if you haven't already
m_ValidateAuthSessionTicketResponse = Callback<ValidateAuthTicketResponse_t>.Create(HandleValidateAuthTicketResponse);

// To begin the session
byte[] authTicket; // This would be passed in by the user you're authenticating
var Result = SteamUser.BeginAuthSession(authTicket, authTicket.Length, user);

// The handler for your callback will take the form of
private void HandleValidateAuthTicketResponse(ValidateAuthTicketResponse_t arg0)
{
    if (arg0.m_eAuthSessionResponse != EAuthSessionResponse.k_EAuthSessionResponseOK)
        ;// Something is wrong with the ticket, the session response will say what
}

End Session

When you are done playing with a user or otherwise wish to end the authenticated session with them, you need to call End Session on that user.

Code Free

Not Applicable

C#

// End for a user
Authentication.EndAuthSession(TheUser);

// End for all users
Authentication.EndAllSessions();

Blueprint

Be aware of the Client vs Steam Game Server versions

C++

// For client builds
SteamUser()->EndAuthSession(SteamId);
// For dedicated server builds
SteamGameServer()->EndAuthSession(SteamId);

// For client builds
SteamUser.EndAuthSession(User);
// For dedicated server builds
SteamGameServer.EndAuthSession(User);

PreviousUnity Achievement Tools NextBranches

Last updated 1 month ago