Authentication
Last updated
Last updated
Steam Authentication allows your game to verify the identity of a user via Steam's backend services. It is commonly used for multiplayer games, server access control, and web API integration. The system issues authentication tickets that can be validated by other clients, game servers, or your own backend.
You should use Steam Authentication when:
You need to verify a player's identity in multiplayer sessions.
You want to authenticate users with your backend or web services.
You're integrating with Steam Web API endpoints that require proof of identity.
You don’t need to use Steam Authentication when:
Your game is entirely single-player and doesn’t rely on server-side identity checks.
You're using Steam only for basic platform features like achievements or cloud saves.
Authentication is handled entirely via Steamworks API and does not require any setup in the Steamworks Developer Portal.
When requesting an authentication ticket, you must specify the intended recipient of the ticket—this is referred to as the "identity." The identity is who the ticket is for, not who is generating it. This means you should provide the Steam ID of the server, user, or Web API key that will receive and validate the ticket, not your own ID.
Not applicable
To get a ticket for use by a User or Steam Game Server, you will provide that user's or server's ID
// Remember, a UserData is compatible with a CSteamID
UserData networkHost; // set this to the host's UserData/ID
Authentication.GetAuthSessionTicket(networkHost, (TicketResponse, IOError) =>
{
if(!IOError && TicketResponse.Result == EResult.k_EResultOK)
{
// Send TicketResponse.Data to your networkHost to use
}
});
When you receive a ticket from a user, you use it by calling Begin Auth Session. This function first checks the ticket’s structure for validity. If the structure is valid, Steam processes the ticket on the backend, performs authentication, and returns the result to you.
Not Applicable
byte[] Data;
UserData UserItsFrom;
var RequestResult = Authentication.BeginAuthSession(Data, UserItsFrom, Session =>
{
// This only runs if the RequestResult was okay
// Session.User = who this session is with
// Session.GameOwner = who owns the App they are playing on
// this can be different than user if they are
// barrowing the game such as Family Sharing
// Session.Data = this is the ticket data that was validated
// Session.Response = this is an enumerator that tells you the status of
// the request
// Session.Barrowed = the game is barrowed e.g. User and GameOnwer dont match
// Here is an example of testing the Response
switch(Session.Response)
{
case EAuthSessionResponse.k_EAuthSessionResponseOK:
// Steam has verified the user is online,
// the ticket is valid and ticket has not been reused.
break;
case EAuthSessionResponse.k_EAuthSessionResponseUserNotConnectedToSteam:
// The user in question is not connected to steam.
break;
case EAuthSessionResponse.k_EAuthSessionResponseNoLicenseOrExpired:
// The license has expired.
break;
case EAuthSessionResponse.k_EAuthSessionResponseVACBanned:
// The user is VAC banned for this game.
break;
case EAuthSessionResponse.k_EAuthSessionResponseLoggedInElseWhere:
// The user account has logged in elsewhere and
// the session containing the game instance has been disconnected.
break;
case EAuthSessionResponse.k_EAuthSessionResponseVACCheckTimedOut:
// VAC has been unable to perform anti-cheat checks on this user.
break;
case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketCanceled:
// The ticket has been canceled by the issuer.
break;
case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketInvalidAlreadyUsed:
// This ticket has already been used, it is not valid.
break;
case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketInvalid:
// This ticket is not from a user instance currently connected to steam.
break;
case EAuthSessionResponse.k_EAuthSessionResponsePublisherIssuedBan:
// The user is banned for this game.
// The ban came via the web api and not VAC
break;
case EAuthSessionResponse.k_EAuthSessionResponseAuthTicketNetworkIdentityFailure:
// The network identity in the ticket does not match
// the server authenticating the ticket
break;
}
});
// Before the callback runs, this code will run and tell us if the structure
// of the ticket provided is valid and matches the user and app
if(RequestResult != EBeginAuthSessionResult.k_EBeginAuthSessionResultOK)
{
// If it is not "OK" then the callback will never run
// The RequestResult tells you what is not OK about it
}
When you are done playing with a user or otherwise wish to end the authenticated session with them, you need to call End Session on that user.