Openstars

Understanding the Steam API Scam: Protect Your Inventory

The API Scam is a common and clever fraud on Steam designed to steal your valuable in-game items. While it uses technical terms, the scam relies on tricking you, the user.

Remember this fundamental rule: An API key alone cannot complete a trade. Every trade still requires a final confirmation via your Steam Guard Mobile Authenticator.

The scam begins when a user is lured to a fake website (e.g., a "free skins" site, a fake trading platform, or a gambling site). This is a phishing attack.

To use the site, you are asked to "Sign in through Steam." The login page looks identical to the real Steam, but it is fake. When you enter your username, password, and Steam Guard code, the scammers steal this information.

Scammers immediately use a script to access your real account and generate a unique Steam Web API Key. This key allows them to monitor your account’s trade offers.

What the scammers see and do: ​

​(Image 1: The 'Register Steam Web API Key' page. Scammers use this page to create the key they will use to track your trades.) ​

Step 2: The Trap Is Sprung (Trade Interception)

Once the scammers have the key, they wait. The moment you initiate a trade with a real partner (like a friend or a trusted market bot), the scammer’s script detects it. In milliseconds, it performs a bait-and-switch:

It cancels your original, legitimate trade offer.

It creates a fake trade offer that looks identical. This fake offer comes from a scraper account that copies the avatar and name of your original trading partner.

You check your phone to confirm the trade. You see the familiar avatar and name. You click 'Confirm.'

1. It cancels your original, legitimate trade offer.
2. It creates a fake trade offer that looks identical. This fake offer comes from a scraper account that copies the avatar and name of your original trading partner.
3. You check your phone to confirm the trade. You see the familiar avatar and name. You click 'Confirm.'

What your trade history looks like: ​

​(Image 2: Post-scam trade history. The real offer is canceled (red 'X'), and the fake offer is accepted (green checkmark). Both happen simultaneously.) ​

Step 3: How to Spot the Fake and Protect Yourself

The critical moment is the final verification on your phone. Do not rush. A fake account cannot copy everything perfectly.

Before you confirm, verify these details of the account sending the offer:

Steam Level: Real partners (friends, big markets) have high levels (e.g., 50+). Scammer bots are almost always level 0 or 1.

Account Creation Date: This cannot be changed. If you are trading with an "old friend," but the account was created yesterday, it is a scam.

Name History: Click their name. Scammers often have many rapid name changes or no history.

- Steam Level: Real partners (friends, big markets) have high levels (e.g., 50+). Scammer bots are almost always level 0 or 1.
- Account Creation Date: This cannot be changed. If you are trading with an "old friend," but the account was created yesterday, it is a scam.
- Name History: Click their name. Scammers often have many rapid name changes or no history.

What to check on your Mobile Authenticator: ​

​(Image 3: Mobile confirmation screen. Verify User Level, Account Creation Date, and Name History. These are the three critical check points.)

Step 4: Emergency Action Plan (If Compromised)

If you suspect you have an API Key that scammers created, you must act in this specific order to secure your account:

Revoke the Key: Go to the <a href="https://steamcommunity.com/dev/apikey" rel="nofollow noopener noreferrer" target="_blank">Steam API Key page</a> and click "Revoke my Steam Web API key." The field must be empty.

Deauthorize Devices: Go to your <a href="https://www.google.com/search?q=https://store.steampowered.com/twofactor/manage" rel="nofollow noopener noreferrer" target="_blank">Steam Guard settings</a> and click "Deauthorize all other devices." This kicks the scammers out of your session.

Change Your Password: Change your Steam password and your email password.

1. Revoke the Key: Go to the <a href="https://steamcommunity.com/dev/apikey" rel="nofollow noopener noreferrer" target="_blank">Steam API Key page</a> and click "Revoke my Steam Web API key." The field must be empty.
2. Deauthorize Devices: Go to your <a href="https://www.google.com/search?q=https://store.steampowered.com/twofactor/manage" rel="nofollow noopener noreferrer" target="_blank">Steam Guard settings</a> and click "Deauthorize all other devices." This kicks the scammers out of your session.
3. Change Your Password: Change your Steam password and your email password.

Step 1: Revoke the API Key: ​

​(Image 4: The final confirmation step. Clicking "Yes, Revoke Key" in English is essential to stop the scammers' tracking tool.)

Step 2: Deauthorize Other Devices: ​

(Image 5: Steam Guard Management. Use the English "Deauthorize all other devices" button to force a logout of your account from every computer and phone, removing the scammers' access.) ​

What is API-scam

Back to site

Find answers and get help from Intercom Support and Community Experts

Conversations you've started through the messenger will appear here.

No conversations created by you

Try using different keywords or checking for typos.

No conversations found

Title

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Empty Help Center

Uh oh. That page doesn’t exist.

Home

Search results

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

No tickets created by you

No tickets found

Track the progress of all tickets and conversations related to your company.

Customer Portal.

Track the progress of all tickets related to your company.

Tickets portal.

{assigneeName} needs more information from you

Tickets

No access to tickets portal

Search and ask

Find guides, answers, and references.

Skip the search. Describe what you’re trying to do and get a grounded answer.

Browse articles and guides in this topic.

Create your workspace and invite the people you work with.

Set up your account

Build your first workflow and watch it run end to end.

Ship something

Connect the tools your team already uses to bring data in.

Connect your stack

A quick lap of the product so you know where everything lives.

{appName} in 60 seconds

This prototype demo is aware that you are reading “{title}”. It can point you back to the current article, but a production article-aware Fin contract is still follow-up work.

Prototype article-aware answer

Because you already asked about invitations, this prototype demo can add the follow-up: use the role selector before sending each invite to limit access to the teammate responsibilities.

Prototype role-limiting follow-up

This prototype demo suggests starting with your workspace profile, inviting the team members who need access, and then connecting the integrations you use.

Prototype getting-started answer

In this prototype demo, integrations are configured from workspace settings. Choose the integration, connect the account, and review the enabled permissions.

Prototype integrations answer

In this prototype demo, invite teammates from workspace settings, then choose the access each teammate needs before sending the invitation.

Prototype invite-team answer

This prototype demo does not have a scripted answer for that question yet. Try asking how to invite your team or open a source article. No production Fin API was called.

Prototype answer unavailable

I’ve got this page open. Ask me anything about it and I’ll answer from the docs.

What is API-scam

Understanding the Steam API Scam: Protect Your Inventory

Step 1: How the Scam Is Set Up

Step 2: The Trap Is Sprung (Trade Interception)

Step 3: How to Spot the Fake and Protect Yourself

Step 4: Emergency Action Plan (If Compromised)