This guide breaks down the process of one of Steam's most infamous scam methods and how best to prevent it happening - the API scam.


Steam's API key gives access for services to freely create and decline trade offers.

The only circumstances you would ever require using an API key is when using legitimate p2p (peer to peer) sites. Most users will not need to use an API key, hence it is one of the most dangerous ways to get scammed.

You MUST NEVER hand out your API key to other users in any situation or services you do not trust. There is also no real reason you would need an API key.

Your API key can be found here: https://sp.zhabite.com/dev/apikey

The 2 following images show what an unassigned, and assigned API key will look like. You can only have 1 active API key at a time.

How it works:

Step 1: The scammer will send you a phishing link - a link which steals your login details or personal information, giving the scammer access to your account.

Step 2: The scammer creates an API key.

Step 3: Any trade offers you make will be cancelled and redirected to an impersonators account which is 'face identical' to the real user you are trading with.


Some very common methods of phishing links are:

1. You win a free item and must claim it by logging into a dodgy website.

2. You are asked to send full details/price evaluation and must login to dodgy website.

3. You are asked to compete in a small tournament hosted by a dodgy website and must login.

4. You are asked to help someone by voting for their submission (such as artwork), in some sort of competition and must login to vote.

5. You are given are given an in incorrect 'steamcommunity' link which you are required to login to. Note that the ' https://sp.zhabite.com ' domain is protected, however scammers may use steamcommunility etc.

When logging into any website which requires Steam, you will be presented with 1 of 2 login methods. Before logging into any sites, ensure you sign directly into Steam beforehand - once you are logged in, you will not be required to enter your login credentials again unless you are signed out of Steam browser. This initial step gives a good (but not foolproof) way of filtering out some scam sites at a very early stage. This is the initial stages of the API scam, and it is very difficult to know if your account has been compromised until it is too late.

How it works:

Step 1: The scammer will send you a phishing link - a link which steals your login details or personal information, giving the scammer access to your account.


How to stay safe:
Ensure you are logged in directly to Steam before signing into any sites.

Do not click on any links or login to any sites sent by anyone (even friends) that you do not trust or are not familiar with.

If presented with the 'FAKE LOGIN' interface, ensure you DO NOT enter your login credentials. You should not be required to re-enter your login if you have already signed into Steam beforehand.

Your API key can be found here: https://sp.zhabite.com/dev/apikey

Most users will never require an API key. If you did not assign an API key, and you find one assigned, then your account has been compromised. You should follow the steps in 'Secure your account' section of this steam guide. The step of assigning an API key is the backbone of the API scam. The API key can also be assigned at any stage as long as the used credentials have not been logged out.

How it works:

Step 2: The scammer creates an API key.


How to stay safe:
Verify there is no API key assigned.

In the event that there is an API key that you did not assign, change your password immediately, deauthorise all devices (shown below) and revoke the API key.

The scammer has now assigned an API key, giving them the ability to create and decline trade offers.

When doing a trade with your intended trader, before confirming via the mobile authenticator, the API can redirect the trade to a scammers account which copies the name and profile picture of your intented trader. It is very easy to overlook this especially with the most recent steam mobile app not displaying the users registration date. There are multiple ways you can ensure you are confirming a trade with your intended trader and not a scammer.

How it works:

Step 3: Any trade offers you make will be cancelled and redirected to an impersonators account which is 'face identical' to the real user you are trading with.

How to stay safe:
Add the user on Steam prior to sending any trades. The trade confirmation will display a 'friend' icon which can act as an extra layer of security.

Ensure the Steam level in the trade confirmation matches with the intended traders steam level, as well as their displayed badge.

Do not send an empty trade offer, it is always handy to add a 3 cent sticker on the intended traders side as most API bots will not have an item. This also then ensures that when confirming the trade, and the 'intended traders' items you are receiving are empty, then it means your account has been compromised. The image below is an example showing the 3 different verification ways.

When using third-party sites, open the trade within the site and not navigating to your Steam trade offers.

When confirming via the mobile app, open up the confirmation then proceed to check your trade offers here: https://sp.zhabite.com/id/me/tradeoffers/sent/ and verify there is no cancelled trade offer. If you see an image similar to the one shown below - where there is an active and cancelled trade offer which are both identical, your account has been compromised.

Click on the users icon in the trade to go to their profile, an ensure it is the same user. You can also verify the account creation date by posting their Steam URL into https://steamid.uk/ . Another good indication is most API scam bots will have a steam URL with '/profiles/XXX' (where X is a long number) opposed to a /id/...'.

You have found that your account has been compromised by a phishing link. How do you go about resecuring it?

Step 1: Change your password.

Step 2: Deauthorise all devices.

Step 3: Remove API key.


Step 1 - How to change your password:

Access 'Change your password' here: https://sp.zhabite.com/steamstore/account/

Scroll down to the 'ACCOUNT SECURITY' section and select 'Change my password'.


Step 2 - How deauthorise all devices:

Access 'Deauthorise all devices' here: https://sp.zhabite.com/steamstore/twofactor/manage

Select 'Deauthorise all devices'. You will be required to login to every site and mobile again. Ensure you login to https://sp.zhabite.com first. Also note that deauthorising your devices will log you out of the steam mobile authenticator, meaning you cannot access any of the features including confirmations. You will need to remove the authenticator via the link above and redownload the steam app, resulting in a 15 day tradehold once the authenticator is re-enabled.

Step 3 - How to remove API key:

Access your steam API key here: https://sp.zhabite.com/dev/apikey

Select 'Revoke My Steam Web API Key' and select 'OK'.

Steam's Two-Factor Authentication should be the absolute minimum level of security of all users. An outline of what it does and how it can help you are displayed below. In addition, Steam's Family View is a very useful feature which requires a pin to access specific sections of your steam account.

An important note is you should never share your email and phone number, as these can be used to recover your account, as well as hijack.


Steam Two-Factor Authentication - https://sp.zhabite.com/steamstore/twofactor/manage :
Should be the bare minimum level of security for all users.

Enabled in the steam mobile app, which allows you to confirm trades instantly, and removes the 7 day/15 day tradehold when sending items (after having it enabled for 7 days).

This also allows you to verify steam level, displayed badge and friend status easily, prior to confirming any trade.


Steam Family View - https://sp.zhabite.com/steamstore/parental/set :
An additional security method which requires a pin to access specific parts of your steam account (which you choose - for example; specific games, 'Steam store', 'Community-generated content', 'Friends, chat and groups' and 'My online profile, screenshots and achievements').

Enabled via the steam browser. The options you select are what you can access without entering the pin. It is a good idea to only tick 'Friends, chat and groups' for the Online content & features section.

Note that the 'Community-generated content' includes modifying the API key and the steam market access. You also cannot send trade offers via the use of an API key if the ''My online profile, screenshots and achievements' option is not ticked.

Whenever you relog into steam or relaunch steam app, you will need to re-enter the pin to access the family view locked content.

If you found this guide useful, an upvote will be highly appreciated. Additionally, you can favourite the guide, and showcase it on your steam profile as your 'Favourite Guide'.

Sharing this guide, as well as the 'Scam Prevention Guide' - which provides many other common techniques of scamming will be highly appreciated, and will hopefully help reduce the number of scams in the future.