A Steam API scam is a type of fraud where scammers get hold of your API key, a unique code that gives access to actions on your Steam account. They exploit this to swap trades, resulting in your items being stolen when trading with friends or trusted skin markets.
When Are You at Risk of Getting Steam API Scammed?
To protect yourself, it is essential to understand how these scams work. Most commonly, phishing websites are involved. These sites mimic legitimate platforms or present themselves as useful tools or analytics sites for players. You might encounter them through search engines, which is why we recommend avoiding top links from paid ads and bookmarking trusted sites. Sometimes, other Steam users may unknowingly or intentionally guide you to one of these scam sites, inviting you to:
Register for a game tournament
Vote for an item they’ve created in the Steam Workshop, etc
Following these links can lead to becoming a victim of a Steam API scam.
How to Not Get API Scammed — Steam Authorization
Staying vigilant is the key to avoiding these scams. A site may look legitimate or almost identical to the original, but it could be set up for fraudulent purposes. Once you start browsing, you may be asked to log in via Steam. Here's where the difference lies.
If you have previously logged in to Steam in your browser, then:
Legitimate sites: Will prompt you to log in by simply clicking "Sign In" without asking for more details.
Fraudulent sites: Will require you to re-enter your Steam login information or scan a QR code.
If you enter your details or scan the code, scammers can instantly access your Steam account.
How Do Steam API Scams Work?
After you have been tricked into logging in, scammers generate an API key without your knowledge (it will be shown here https://steamcommunity.com/dev/apikey).
You will not notice anything right away. You will continue using your Steam account as usual, but later, when you initiate a trade, scammers can intercept and swap your trade without you realizing it.
When you send items to a friend/market/another account, they use your API key to cancel the original trade and replace it with a fraudulent one directed to their bot. If you look at the trade history in your account, you will see two trade offers with the same items – one for the real recipient and another for the fraudulent bot. Moreover, more advanced scammers might use user account information to swap the bot's avatar or other data to resemble the real recipient. Once you accept the trade, your skins will be sent to the scammers, not the intended recipient.
How to Check for an API Scam on Your Account?
To safeguard your account, regularly check if an API key has been generated on your Steam profile. You can do this by visiting this link: https://steamcommunity.com/dev/apikey.
If a key has been created without your knowledge, delete it immediately and change your password. This is how you can stop the Steam API scam in most cases.
We also recommend changing your trade link to prevent future issues. You can do this here: https://steamcommunity.com/id/(insert your account id)/tradeoffers/privacy, or open “Inventory - Trade Offers - Who can send me Trade Offers” in your account.
When you sell items to our bot, we will notify you if a trade is canceled. While we cannot guarantee scammers have not accessed your API key beforehand, we take every step to help you identify a fraudulent trade and prevent a Steam API scam.
If your trade is rejected by Steam, you will see a warning message on our site (see the screenshot below) and hear an alert.
It is important to carefully verify the bot’s details, such as name, level, and avatar, before confirming a trade through the mobile authenticator. Scammers may try to replicate the bot's details and substitute the trade.
You can also check your recent trade offers in your Steam account history at https://steamcommunity.com/id/(your account id)/tradeoffers/ to see if there is a sign of a Steam API Scam. If you find two identical trade offers, one of which is canceled, it is likely that scammers have attempted to intercept the transaction.
For a safer experience, we recommend using your PC browser for transactions rather than a mobile application. This allows you to view the website and the mobile authenticator simultaneously, making it easier to detect and prevent potential API scams.
How to Avoid a Steam API Scam?
Here are some additional recommendations to avoid a Steam API scam, help you protect your account and safely trade skins.
Always verify the authenticity of websites requiring Steam authorization. Ensure that the URL in the address bar matches the official website address and is not a subtle variation.
Be cautious when interacting with unknown users. Verify any links they send you before clicking on them.
Watch out for suspicious offers, such as tournament invitations or trade requests from unfamiliar individuals.
Be cautious if someone contacts you pretending to be Steam support and asks you to send your items to a "friend" or another account for "verification" purposes. Official Steam support staff will never add you as a friend or communicate with you through chat. If your profile shows warnings like "reviewed" or "suspicious," or you receive a message claiming to be from Steam support, change your password immediately and contact Steam's official support team at https://help.steampowered.com/en/ for assistance.
Use only verified third-party sites for selling or trading skins.
By staying vigilant and following these precautions, you can protect your account from being compromised and ensure your trades are secure.
