The Steam Desktop Authenticator — as a stateless API. Generate maFiles, mint Steam Guard codes, and auto-confirm trades straight from your backend. No desktop app to run.
revocation_code the moment you generate them; the revocation code is the only way to remove the authenticator. You use it entirely at your own risk: we accept no liability for account locks, bans, or lost access, and we are not affiliated with Steam or its operator.
All endpoints return JSON, accept the same auth header, and degrade with a normalised error envelope.
/steam/api/guard/code
/steam/api/guard/add
/steam/api/guard/remove
/steam/api/guard/confirmations/list
/steam/api/guard/confirmations/details
/steam/api/guard/confirmations/confirm
/steam/api/guard/confirmations/confirm-all
Same auth header as every other endpoint we ship. Get an API key from the dashboard and you're querying inside two minutes.
The Steam Guard API is the Steam Desktop Authenticator rebuilt as a REST API. For years, bot operators ran Jessecar96's open-source SteamDesktopAuthenticator (SDA) desktop app to store maFiles and confirm trades by hand. You no longer need that desktop app — every step is a stateless HTTP call you can run from a server, a cron job, or a trading bot.
The maFile this API generates is byte-for-byte compatible with the SDA format, so anything you already built around SteamDesktopAuthenticator keeps working. The difference: no GUI, no Windows process, no manual clicking. Enroll an authenticator, generate the 5-character Steam Guard login code, and approve mobile confirmations entirely over the API.
maFile generation is a single endpoint, /steam/api/guard/add, that walks the Steam enrollment in two to three calls: log in with username and password, submit the email code Steam sends (for email-Steam-Guard accounts), then finalize with the activation code. The response is the full maFile — shared_secret, identity_secret, revocation_code, serial_number, the otpauth URI — plus a ready-to-use download link. Store the revocation_code: it is the only way to remove the authenticator later.
The shared_secret generates the rotating Steam Guard login code (TOTP) via /steam/api/guard/code. The identity_secret signs mobile trade and market confirmations. steamLoginSecure is a web session cookie — it is not part of the maFile, but you can mint it from the maFile's RefreshToken to drive confirmation calls. One enrollment hands you everything a bot needs.
Wire the Steam Guard API into a trade bot: generate the login code on demand, then list and approve the trade confirmations Steam would normally show only in the mobile app — no phone in the loop, no human tapping Confirm. Pair it with the Steam Trading API for a full preflight-to-confirm pipeline.
List pending confirmations, inspect one, accept or deny a single item, batch many, or one-shot auto-confirm every trade or market confirmation in a single request. All you need is the identity_secret and a steamLoginSecure session.
Accounts without a phone work too: Steam emails the activation code instead of sending an SMS, and the API finalizes enrollment with it the same way. Verified end to end.
Nothing is stored. You pass the secrets per request and they live only for that call — no maFile, no shared_secret, no session is ever persisted on our side. Every guard endpoint is POST, so secrets never land in a URL or an access log. Access is shared with the Trade API tier.
No. The Steam Guard API replaces the SDA desktop app — maFile generation, Steam Guard login codes and trade confirmations are all REST calls. The maFile it returns uses the same format as Jessecar96's SteamDesktopAuthenticator, so you can still import it if you ever want to.
Everything the desktop app does by hand becomes an HTTP call: enroll an authenticator, download the maFile, generate the rotating Guard code, and approve mobile confirmations — scriptable, headless and stateless.
Call /steam/api/guard/add with username and password, submit the email code Steam sends, then finalize with the activation code. You get the full maFile back — shared_secret, identity_secret, revocation_code and a download link — in one flow.
All three come from enrollment: the maFile contains shared_secret and identity_secret; steamLoginSecure is minted from the maFile's RefreshToken. The shared_secret then powers /steam/api/guard/code for login codes.
Generate the Steam Guard login code from the shared_secret, then auto-approve trade confirmations over the API — no phone, no manual tapping. Combine it with the Steam Trading API for eligibility and lock-state checks.
Use /steam/api/guard/confirmations/list to list them and /steam/api/guard/confirmations/confirm-all to approve every trade or market confirmation at once. You need the identity_secret and a steamLoginSecure session.
Yes. For phone-less accounts Steam emails the activation code instead of an SMS, and the API finalizes enrollment with it the same way.
No secrets are stored. You pass them per request, they are used only for that call, and every endpoint is POST so nothing sensitive lands in a URL or an access log.
Send the shared_secret to /steam/api/guard/code and get the current 5-character Steam Guard code (TOTP) plus its expiry — the same code the Steam mobile app shows.
One key, every Steam endpoint.