This problem with marking games as private on steam, is something I talked a couple of times, I even got a temp ban by accident because of this, My solution ended being, unmarking my whole library as private once a week for 10 seconds and do the manual scan on SG. I really like your solution, the problem is that I would be needed to be developed, test it and finally put to use, and that can take time and money, and I don't know how is the internal day-to-day operation of SG, but I don't see it happening. Still an amazing idea.
Comment has been collapsed.
Well, I don't know that either (internal day-to-day SOP), but I sent my proposal via Support ticket in "Other" category, and got this:
Please post your suggestion here: https://www.steamgifts.com/discussions/bugs-suggestions so others can add to the idea and cg can find all suggestions in one place.
So, I'm hoping it'd at least be considered. IDK how often cg looks at those, or how used he is to use-case formatted tickets, but I made it as full-fetched as I could to save him some time, so 🤞.
Comment has been collapsed.
If SG's internal scanners were to use the API key of each user when scanning their account
A single source using a very large number of users' API keys... I believe Steam will not like that at all.
Edit:
And after a bit of brief research, I believe this confirms it:
You agree to keep your Steam Web API key confidential, and not to share it with any third party. This license is personal to you and specific to your Application. You agree that you will be personally responsible for the use of your Steam Web API key.
Comment has been collapsed.
I don't think it'd be an issue. According to ChatGPT, it's used exactly like that by many 3rd party websites, e.g. TF2Outpost, backpack.tf, Steam Inventory Helper (I'm not sure this one's a single source, though), Steam Ladder, dota2lounge.com, etc.
I think having a ToS clause that clearly states your API key will only be used to scan your account and deliver you your account-related data is enough for it to work out. This fragment clearly exists to prevent people from giving away their API key to websites that got banned, and need a new key in order to circumvent that ban - that's not what happens here. Also, checking if a single source is using multiple API keys seems like a waste, when an account requires a transaction history in order to get the API key in the 1st place. It reads to me more like: "if we see your API key violating our quotas too often, we will ban your account, and no amount of but-that-website-required-my-key explanation will help". But, again, it's not what's happening here - SG would only use that API once or twice per scan.
Back in a day, I had a website, where people could check how "linuxy" their Steam library is. When it reached about two thousand users, I had to implement a similar functionality to avoid exhausting my per-IP Steam API quota. That website existed for several years and I never had a single complaint regarding API keys from either Valve or my users. Of course, I can imagine SG making quite a few more requests, but so do the above-mentioned websites, I think.
Comment has been collapsed.
None of the sites (or extension in case of Steam Inventory Helper) you mentioned require you to give them your API key. (Not sure about dota2lounge.com since I never used it, and when I tried to visit it right now, my access was blocked by cloudflare)
Though, I have no idea how they get around their Steam API quota, but I guess it would be the same as it's for SteamGifts now?
Comment has been collapsed.
Huh... Then it might be an issue. I'll just ask Valve directly, but tomorrow (it's past 3am). I'm pretty sure I've seen an option to provide Steam API key on both backpack.tf and dota2lounge for some extra details that aren't public, so I know some websites just get away doing it.
At 1st I didn't mean "require", because I mostly care about Use-Case-2 (setting NSFW titles as private - it got me banned for a few weeks), so only a small percent of users would use it (those who don't want their library public), but I came up with Use-Case-1 while writing the proposal, and I really think it's the more important one, and I really can't see how it could be dealt with otherwise.
Comment has been collapsed.
Ok, i looked again at backpack.tf and steamladder and I only saw input field for trade offer link on backpack.tf.
Both of the sites have sections https://steamladder.com/user/settings/api/ and https://backpack.tf/developer/apikey/view but those are for generating API keys for access to their API (for fetching items prices in case of backpack and ranking in case of steamladder), not Steam's API.
Also, your Use-Case-1 really does sound like a problem (one that I never considered before), so I don't argue against that and I don't really have any solution better than yours. Only thing I could think of for now, is to check the stats/achievements endpoint to see if the winner has any activity older than when GA ended / when they clicked "Received".
Comment has been collapsed.
Why not both? We could have SG scanning profiles the old way some of the time, and using the API key some other times (proportion depending on whatever limits are there), in order not to overuse the API. Maybe every time someone wins something?
Comment has been collapsed.
Link is let me google that for you because I find is nicer than linking a google search
Anyway, based on how many hits are for API scams, I don't really want to use mine to begin with more than minimum.
Comment has been collapsed.
Not a single result for that search talks about actual scams involving API keys. Just more false positives. If you want a pretty comprehensive description of the extent of malice possible due to obtaining a Steam API key, here's a Reddit post:
https://www.reddit.com/r/cs2/comments/1ckbhv4/api_scams_how_it_works_and_how_to_avoid_being_a/
As you can see, it all involves a 2nd factor, a silly user behaviour, or a straight-up fake website.
Also, official Valve's explanation of Steam API key role in scams on the bottom of this help page:
https://help.steampowered.com/en/faqs/view/7F4E-1D40-43D0-73FD
Comment has been collapsed.
I got a bullshit-response on the issue from Valve... I wasn't vague or unclear, simply asked if a user can provide their key to a website for the sole purpose of retrieving that single user's data, but they're being dismissive:
Hello Cy,
Thank you for contacting Steam Support.
If you don't have a license for a specific game, you cannot mark that game as private.
Please have a look at the article here Steam Private Games.
Steam Support does not provide assistance for questions regarding the Steam Web API.
However, you can refer to the following webpage for further information and Community discussions on using the API: Steam Web API Overview and you can register for a Steam Web API key here: https://steamcommunity.com/dev/apikey
Please let me know if I can help clarify anything else.
Steam Support
Christina
I tried applying for a developer account, which is needed to gain access to the mentioned discussion forums, but it requires a $100 payment (i.e. I'd need to buy at least 1 Steam store page "slot"), and I don't have that kind of money just lying around, unfortunately.
Comment has been collapsed.
16,994 Comments - Last post 2 minutes ago by eternalsadness
1 Comments - Last post 30 minutes ago by Seibitsu
1,212 Comments - Last post 33 minutes ago by Formidolosus
11 Comments - Last post 39 minutes ago by RevCat
23 Comments - Last post 1 hour ago by JonathanDoe
1 Comments - Last post 1 hour ago by spigias
47,434 Comments - Last post 1 hour ago by a19978221
1,003 Comments - Last post 4 minutes ago by Wintermute75
805 Comments - Last post 25 minutes ago by MaryVirgin
23 Comments - Last post 27 minutes ago by weslleyend
6,872 Comments - Last post 1 hour ago by Falcon832
57 Comments - Last post 1 hour ago by Zipsy
29 Comments - Last post 1 hour ago by NeptuneZero
124 Comments - Last post 1 hour ago by Littleone24
The option to "mark as private" in Steam games library introduced 2 new issues with the same stem:
USE-CASE-1: potential for unfair behaviour:
The above shows exactly the same as the game activation, and leaves the user with a key to sell or re-giveaway for points.
USE-CASE-2: overzealous bans:
That's the definition of false positive, and moderators have no choice but to ban the account, then handle one or more subsequent unsuspend-requests, etc.
PROPOSED SOLUTION: using the user's Steam API key:
While some heuristics are possible, they'll always lead to false-positives and security concerns. In my testing, however, I found out that sending Steam API requests with my own API key returns private results as if they were public. If SG's internal scanners were to use the API key of each user when scanning their account, it'd let the users mark their libraries as private, solve both use-cases, and possibly lessen some support-related workload.
COUNTERARGUMENTS: onboarding, quotas & privacy concerns:
There are 3 main concerns that come to mind:
POSSIBLE HERD TRANSPARENCY: an iffy perk for free:
While not strictly related, it might be possible to achieve a tipping point, where using a friend's API key is sufficient to scan libraries set to "friends-only" privacy mode, without any extra steps from the user. It would obviously require even more changes on the SG side and could be considered a privacy violation by some, but I'm mentioning it for the sake of completeness.
Comment has been collapsed.