[solved] So... how do i actually do player verification? (steam API)

CrazyAmphibian · December 25, 2025, 5:44am

i want to make a multiplayer game, and have gotten a basic networking system in. the issue is that i would like to verify that users are who they say they are, using the steam API.
i took a look over the API documentation and found steam.user_get_auth_session_ticket which is nice, but this only solves the user side of things, and there doesn’t seem to be any function for verifying the auth ticket on the server side. am i missing something?

for further context, i don’t plan to (nor really have the means or skills) to host backend servers for this kind of stuff, so i’d like to know if it can all be handled within the game code.

CrazyAmphibian · December 27, 2025, 2:52am

issue opened on steam extension repo. it seems the functions needed are not directly accessible in Lua, unless i’m mistaken or there’s a workaround.

britzl · December 27, 2025, 10:09pm

Thanks. I’ve added Lua bindings for the missing functions. Please check the PR and try this branch:

https://github.com/defold/extension-steam/archive/refs/heads/Issue-41-new-auth-ticket-functions.zip

CrazyAmphibian · December 30, 2025, 8:06am

needed functions have since been added
for other people who stumble across this, here’s how you do it:

when initiating a server connection (or P2P), the client should first generate an authentication ticket, and then send the ticket to the server, alongside their steamid.

ticket,handle=steam.user_get_auth_session_ticket()  --ticket can be nil. ticket goes to server. handle needs to be stored for later use
client_steam_id=steam.user_get_steam_id() --forward to the serever for validation+identification

next, when the server (or other client, in P2P) recieves the data, it needs to validate it

response_code=steam.user_begin_auth_session(ticket,client_steam_id)
if response_code==steam.EAuthSessionResponseOK then --additional enums exist, starting with steam.EAuthSessionResponse
   --valid client handling
else
  --invalid client handling
end

now, when a connection is ended, through the server shutting down, the client leaving, or anything else, the auth ticket needs to be revoked on both the client and server (or other client, if P2P)
on the client side, you call this

steam.user_cancel_auth_ticket(handle) --use the handle returned by user_get_auth_session_ticket

and on the server (or other client) side, it’s this

steam.user_end_auth_session(client_steam_id)

a few things to note:

it’s ok if you forget to invalidate an auth key here or there, it won’t bring down the server or make the game unplayable, they auto-expire.
never send a client’s auth key to a different client. ideally, don’t store the auth ticket at all after the auth session is started
this method of authentication automatically checks for game bans and user ownership, how convenient.