Even though I mostly use docker composes for dev, and managed database solutions for prod, smaller projects might still find it useful to set up PostgreSQL locally. In this article, I'll walk through how to do it on a Ubuntu server specifically (I'll use a EC2 instance running Ubuntu 24.04.1).

1. Installations

Firstly, we'll have to install all the packages we need, which starts with an update to our package list:

sudo apt update

Run the following command to install PostgreSQL:

sudo apt install postgresql postgresql-contrib

2. Setting up a user

Accessing the database is done with a user. In a NodeJS application it might look something like this:

import { Pool } from 'pg';
import dotenv from 'dotenv';
dotenv.config();

export const pool = new Pool({
    user: process.env.POSTGRES_USER,
    host: process.env.POSTGRES_HOST,
    database: process.env.POSTGRES_DATABASE,
    password: process.env.POSTGRES_PASSWORD,
    port: parseInt(process.env.POSTGRES_PORT as string),
});

As such, we'll have to make sure we create a user with the POSTGRES_USER and POSTGRES_PASSWORD we've added to the application's environment variables.

To access the Postgres database, we'll have to switch user to the one created during installation:

sudo -i -u postgres

And then access the shell by using:

psql

In the shell, we'll create our user:

CREATE USER tf2bot WITH PASSWORD '50d56046-0d01-4865-901c-a9b3fac8e1f8';

(you can change the username and password to whatever fits your application best. In this case it will be used for a TF2 Steam bot).

Instead of creating the database with the default user and changing owner, I like to allow the newly created user to create databases:

ALTER USER tf2bot CREATEDB;

(change tf2bot to the username you used in the previous step)

For the next step, we need to locate a configuration file. This is easily done using the following command:

SHOW hba_file;

That should print something like:

              hba_file               
-------------------------------------
 /etc/postgresql/16/main/pg_hba.conf
(1 row)

Let's exit the shell for now:

\q

And then ctrl + D to go back to our root user.

ctrl + D

3. Configuring Postgres to allow sign in with password

Depending on what was printed in the previous step, the following command might look different (depending on postgres version, etc.) Excluding the final file, let's navigate to the directory within which it resides:

cd /etc/postgresql/16/main/

To edit the file of interest, we'll utilize nano:

sudo nano pg_hba.conf

Scroll down to the following line and change "peer" to "scram-sha-256"

# "local" is for Unix domain socket connections only
local   all             all                                peer

It should look like this when you're done:

# "local" is for Unix domain socket connections only
local   all             all                                scram-sha-256

Afterwards, we'll have to restart postgres:

sudo systemctl restart postgresql

If all went well, you should now be able to directly sign in to the user you created:

psql -U tf2bot -d postgres

You'll be prompted for a password, enter the one you added during setup (in my case 50d56046-0d01-4865-901c-a9b3fac8e1f8)

Remain in the shell and move on to step 4.

4. Adding our database

To add a database to postgres, use the following command:

CREATE DATABASE tf2bot;

Afterwards, you can connect to the database using:

\c tf2bot;

In here, paste the database.sql file of your project, and you'll be good to go!

Exit the postgres shell when you are done:

\q

Update March 14th, 2026: Valve pushed an update to inspect links last night, rendering this guide deprecated. After updating CSInventoryAPI I'll probably add a new blog post explaining the changes paired with a new guide.

In an attempt to make CSInventoryAPI more accessible, I figured I would put together a quick article detailing how to successfully use our most popular endpoint, the inspect API (/api/v1/inspect)

The ?url= property

The only thing we need to obtain the advanced item info for a specific item is the inspect url, most easily found by navigating to your own inventory, clicking an item, and finding the "Inspect in Game..." button.

If you copy that link address, you will find something with a close resemblance to:

steam://rungame/730/76561202255233023/+csgo_econ_action_preview%20S76561198166295458A38739886639D768787693327487156

Now, the most important parts of this url is what happens near the end, after the %20 (space).

There are three letters that separate the different sequences of numbers:

• S (steamid64, in this case 76561198166295458)
• A (assetid of the item, in this case 38739886639)
• D (a random number as far as I know, we will not have to worry about this).

Testing the inspect endpoint

Armed with this inspect link, you can try out the endpoint using the swagger UI available at https://csinventoryapi.com/docs.

If all works well, you should receive an output similar to this:

Fetching floats of items in an inventory using NodeJS

The crux of it is, when fetching an inventory (e.g., by using the https://csinventoryapi.com/api/v1/inventory endpoint), the inspect url does not come pre-populated with the fields required to inspect the item, specifically the S and A properties are only filled with placeholders.

The solutions to this is however relatively straightforward. The S property is set to the steamid64 of the item's owner, and the A property is populated with the item's assetid. Let us see how to do this in practice (all code will be available on GitHub):

Get user inventory

Firstly, we'll build a method to retrieve a user's inventory (also using CSInventoryAPI to avoid rate limits imposed by Steam):

import axios from 'axios';

const API_KEY = process.env.CSINVENTORYAPI_API_KEY;

if (!API_KEY) {
    throw new Error('No API key provided');
}

/**
 * Fetches the inventory of a user
 * 
 * @param {string} steamid64 of the user
 * @returns {Promise<Inventory>} the user's inventory
 */
const getUserInventory = async (steamid64) => {
    const response = await axios.get(
        `https://csinventoryapi.com/api/v1/inventory?api_key=${API_KEY}&steamid64=${steamid64}`
    );

    if (response.data.success !== 1) {
        throw new Error('Failed to fetch inventory');
    }

    if (response.data.total_inventory_count === 0) {
        throw new Error('No items found.');
    }

    if (!response.data.assets || !response.data.descriptions) {
        throw new Error('No assets found.');
    }

    return response.data;
}

Parse user inventory

Armed with this data, and given that the user have items in their inventory, we can go ahead and parse it into a more manageable array of items (Steam divides the assets and the descriptions, why this is a necessary step in most applications utilising inventory fetching).

/**
 * 
 * @param {Inventory} inventory 
 * @returns {Promise<ParsedInventoryItem[]>}
 */
const parseInventory = async (inventory) => {
    const parsedInventory = [];

    for (let i = 0; i < inventory.assets.length; i++) {
        const asset = inventory.assets[i];
        const description = inventory.descriptions.find(d => d.classid === asset.classid);

        if (!description) {
            continue;
        }

        parsedInventory.push({
            appid: asset.appid,
            classid: asset.classid,
            instanceid: asset.instanceid,
            assetid: asset.assetid,
            contextid: asset.contextid,
            icon_url: description.icon_url,
            tradable: description.tradable,
            inspect_url: description.actions && description.actions[0] && description.actions[0].link || null,
            name: description.name,
            market_hash_name: description.market_hash_name,
            name_color: description.name_color
        });
    }

    return parsedInventory;
}

If we now test running these method using the following code:

const inventory = await getUserInventory(steamid64);
const parsedInventory = await parseInventory(inventory);
console.log(parsedInventory);

We will see an array of items that look like this:

{
    appid: 730,
    classid: '720381639',
    instanceid: '5837227973',
    assetid: '38537743650',
    contextid: '2',
    icon_url: '-9a81dlWLwJ2UUGcVs_nsVtzdOEdtWwKGZZLQHTxDZ7I56KU0Zwwo4NUX4oFJZEHLbXH5ApeO4YmlhxYQknCRvCo04DEVlxkKgpovbSsLQJf2PLacDBA5ciJlZG0hOPxNrfunWVY7sBOguzA45W73wy2_BY4Nm32cIWQcA4_ZVCC_1K4kLvohJTt7s6YmnRqs3Yh5y7Zlgv330_d1jhnvw',
    tradable: 1,
    inspect_url: 'steam://rungame/730/76561202255233023/+csgo_econ_action_preview%20S%owner_steamid%A%assetid%D9223627464362234909',
    name: '★ Karambit | Rust Coat',
    market_hash_name: '★ Karambit | Rust Coat (Battle-Scarred)',
    name_color: '8650AC'
}

If we look at the inspect url, we can see that we are missing the S and A properties that I mentioned earlier, and that they are filled with % placeholders. On a positive note, at least they tell us precisely what should be put in their place.

Populating the %owner_steamid% and %assetid% fields

The last step is to populate the fields in the item's inspect url, and actually fetch the floatvalue for each item in the parsed inventory.

/**
 * Populates the float values of the items in the inventory
 * @param {ParsedInventoryItem[]} parsedInventory 
 * @param {steamid64} steamid64 
 * @returns {Promise<ParsedInventoryItem[]>}
 */
const addFloatsToParsedInventory = async (parsedInventory, steamid64) => {
    const parsedInventoryWithFloats = [];

    for (const item of parsedInventory) {
        try {
            if (!item.inspect_url) {
                console.error('No inspect url found for item:', item.market_hash_name);
                continue;
            }

            // replace %owner_steamid% with the steamid64 of the user
            // and %assetid% with the assetid of the item
            const parsedInspectUrl = item.inspect_url
              .replace('%owner_steamid%', steamid64)
              .replace('%assetid%', item.assetid);

            const response = await axios.get(
                'https://csinventoryapi.com/api/v1/inspect?api_key=' + API_KEY + '&url=' + parsedInspectUrl
            );
    
            const { 
              floatvalue, 
              paintseed, 
              paintindex 
            } = response.data.iteminfo;

            parsedInventoryWithFloats.push({
                ...item,
                inspect_url: parsedInspectUrl,
                floatvalue,
                paintseed,
                paintindex
            });

            await new Promise(r => setTimeout(r, 10000));
            console.log('Fetched float values for item:', item.market_hash_name);
        } catch (error) {
            console.log(error);
            console.error('Failed to fetch float values for item:', item.market_hash_name);
        }
    }

    return parsedInventoryWithFloats;
}

If we run this and print the inventory afterwards, we'll see floatvalues for the items that have that property, e.g.:

{
    appid: 730,
    classid: '1310017306',
    instanceid: '5844343608',
    assetid: '28124449669',
    contextid: '2',
    icon_url: '-9a81dlWLwJ2UUGcVs_nsVtzdOEdtWwKGZZLQHTxDZ7I56KU0Zwwo4NUX4oFJZEHLbXH5ApeO4YmlhxYQknCRvCo04DEVlxkKgpoo6m1FBRp3_bGcjhQ09-jq5WYh8j_OrfdqWhe5sN4mOTE8bP5gVO8v106NT37LY-cJAZvZF-ErAC7wLi60MO57s7NwSBgvSgksynamEfmiRBJcKUx0nUflmj0',
    tradable: 1,
    inspect_url: 'steam://rungame/730/76561202255233023/+csgo_econ_action_preview%20S76561198166295458A28124449669D17212839835523578275',
    name: 'USP-S | Kill Confirmed',
    market_hash_name: 'USP-S | Kill Confirmed (Minimal Wear)',
    name_color: 'D2D2D2',
    floatvalue: 0.13473990559577942,
    paintseed: 461,
    paintindex: 504
}

A note on rate limits

The timeout in the loop is to make sure that you do not hit the rate limit imposed by CSInventoryAPI. If you have a business/enterprise plan, the timeout duration can be adjusted accordingly.

If you have any questions, want further help with implementation, or want to start a new project, feel free to contact us.

When building an application utilizing a Steam Bot, e.g., trading applications or gambling websites not using peer-to-peer trading for deposits/withdraws, you will need dedicated Steam accounts that will be used for this purpose. These accounts, which will have their trading and therefore confirmation of trades automated, must still have a mobile authenticator set up to avoid delays with their trading. Seeing as setting up a mobile authenticator on your phone hides away some files you need to access to set the bots up for trading, a program called Steam Desktop Authenticator is commonly used for this purpose.

Prerequisites

Firstly, you will already need a Steam account. Seeing as the registration process is relatively straightforward, I will not be addressing this in the article. I typically use a proton email address (remember to verify it with a real email to not lock your inbox). Furthermore, if the intention is to trade with the account, it might be a good idea to add $5 to the account balance to remove its restriction. I do a more detailed walkthrough of this in my guide on adding a Steam Web API key to a Steam account (something that you should also do for your bot account after we are done setting up Steam Desktop Authenticator).

Since the application is Windows only, you'll also need either a computer running Windows, or run it in a VM. I went with the first option, but whatever floats the boat for you work.

Step 1 - Download the legit version of Steam Desktop Authenticator

Seeing as Steam Desktop Authenticator handles incredibly sensitive data which potentially allows a malicious actor to automatically send trades on your account's behalf, there are several phishing sites and actors that try to get you to download a "fake" version of Steam Desktop Authenticator, to access your Steam account's credentials and probably empty the inventory.

As such, this is the only legit link to the official GitHub repo maintained by Jessecar96 (the creator of the program). We are going to download the 1.0.15 version. Click and download the according zip file:

Step 2 - Add the bot account

After downloading and unzipping the folder, it's time to start the Steam Desktop Authenticator by clicking the "Steam Desktop Authenticator.exe" file. Assuming it is your first time using the application to set up a SteamBot, click "This is my first time and I just want to sign into my Steam Account(s)" when prompted:

Afterward, the application will open, whereupon you will press "Setup New Account" in the top left corner. When prompted to enter login details, enter the username and password of the Steam account that you wish to use as a SteamBot.

Step 3 - Save the revocation code

After signing in, you will be prompted to save your revocation code. This is crucial if someone ever obtains unauthorized access to your Steam account (the risk of which is increased substantially by using it as a SteamBot with sign-in details used in the operation of a web application). You will be prompted to re-enter the revocation code too, to ensure that it has been written down correctly.

Step 4 - SMS code sent to your "phone" (email actually)

Even though Steam Desktop Authenticator asks you to enter the code sent via SMS, the code is sent to your email. This is a relic from past versions of the applications where a phone number was required to set up the mobile authenticator, which curiously is not the case anymore. The email should look something like this:

Step 5 - Re-enter revocation code

As a last step of the setup process, you will be asked to enter the revocation code as specified in Step 3. As mentioned before, this is to ensure that you wrote it down, as it is in your best interest to have this information if you ever need support to get your account back from a malicious actor.

Step 6 - Write down .maFile information

There we go! Now, with a mobile authenticator set up, we can obtain the information we need to automate trading with the SteamBots through code. The fields we are looking for are called sharedSecret (used for automatically generating the 2fa code required to sign in) and identitySecret (used to automate confirmation of trades where the bot has items to give.

To find said properties, you need to navigate to the folder holding all Steam Desktop Authenticator files and navigate to the maFiles subfolder:

If you have multiple accounts (like is the case here), the format is {BOT_STEAMID64}.maFile, so go ahead and open the one that's relevant for the bot account you are setting up right now. Use https://steamid.io if you need to obtain the account's steamid64.

Opening the file, it should start with:

{"shared_secret":"XXXX",...

If not, and the content looks random, the file is likely encrypted. You can turn off encryption in the app under "Manage Encryption", in the top right corner.

Closer to the middle of the file's object you will find

"identity_secret":"XXXX"

which is the second value you will need to automate trading.

Next steps

If you are looking to develop SteamBots with trading capabilities yourself, and you enjoy developing with NodeJS, I suggest you check out McKay's tradeoffer manager and all of his other packages.

If you need help setting up, building, developing, and deploying applications utilizing SteamBots, do not hesitate to reach out either via email to kevin@jkmholding.com or via discord to kevalane.

The Steam API key is a necessary component both for developers building applications utilizing the Steam API, but also increasingly for individuals using trading websites/services where their trade offers must be tracked. In this guide, I'll show you how to create a Steam API key for your Steam account and help you remove an account restriction that might be stopping you.

Prerequisites

Before creating a Steam API key, there are certain prerequisites that must be met:

• You must have a Steam account.
• Your account must not be limited (it must have spent $5.00 on games, see this support article).
• You should have read the Steam Web API Terms of Use to avoid breaches.

Obtaining your Steam API key

Firstly, navigate to https://steamcommunity.com/dev/apikey, which is Steam's official page for registering for an API key.

Step 1 - Unrestrict your account

If you are met with the following text when you navigate to the Steam API registration page linked above, your first step will be to remove the restriction on the account. If your account is not restricted, move along to Step 2.

My preferred way to solve this is by adding $5 to the Steam wallet, which can later be spent on buying skins on the Steam market, thereby giving an effective "cost" of around a dollar. Head over to https://store.steampowered.com/steamaccount/addfunds to add funds to the account, and select the minimum fund level, in my case it is €5.

Step 2 - Enter a domain name

Seeing as the API key is a "Web" API key, Steam wants a domain name for the application that will utilize the API key.

From my experience, this is not enforced, meaning any domain can be inserted. However, if you are giving the API key to someone else's application, e.g., a trading website, or using it for your own development project, it is recommended to use the domain "localhost".

Step 3 - Mobile authenticator confirmation

After entering a domain name, you will be met with the following prompt:

This is a relatively new security addition by Steam, which probably was implemented as a safeguard against the increasing number of "API scams" that were conducted. Just confirm the action in your app like you would any other Steam trade.

Step 4 - Copy API key

After confirmation, your Steam Web API key has been generated!

Now, you should NEVER share your Steam API key with the public as I have done in this image. This will give attackers information about trades you are conducting, items you received, and other information. Steam is limiting the API key's use cases to prevent scams, but this is still not something you want to share with the world. Always think twice (and ask why) if someone asks you to provide them with your API key.

And that's it! I hope you found this guide useful. If you need any help, don't hesitate to contact me using any of the methods available on our contact page. If you are interested in hiring us to build a web application utilizing the Steam API, e.g., trading websites, gambling websites, keys-to-crypto trading bots, and other applications, head over to our services page to learn more.

Allowing your users to sign in through steam is essential if you are operating a website connected to Steam’s services in any way. This way of authentication allows you to seamlessly collect user’s SteamID64, thus allowing you to see their Steam inventory, profile picture etc. In this article, I will teach you how to set up a “Sign in through Steam” system on your website using NodeJS.

This article was updated after the passport steam library proved to have another vulnerability (which is not to be unexpected after 8 years of no maintenance).

The solution herein utilized a library built by the one and only Doctor McKay, a true hero within the community of Steam API development.

NPM Installs

If you have not done it already, initialize a project in your folder of choice using a terminal:

npm init -y

To utilize modules, add the following line somewhere inside your package.json file:

{
  ...
  "type": "module",
  ...
}

Afterwards, we are going to need some npm installs. The following installs are required:

npm install express
npm install express-session
npm install steam-signin
npm install dotenv
npm install axios

Don’t have npm installed? Head over to nodejs.org and install it for your operating system of choice.

Start building the server

Assuming we are working on a vanilla project, we will need to start with the necessary code to build a simple server. All the code can be found on GitHub.

// Require all the installs
// Require all the installs
import express from "express";
import session from "express-session";
import SteamSignIn from "steam-signin";
import dotenv from "dotenv";
dotenv.config();
import axios from "axios";

// Create a new SteamSignIn object
const realm = process.env.API_URL;
const signIn = new SteamSignIn(realm)

// Create an express app
const app = express();

// Set up the session
app.use(session({
    secret: process.env.SECRET,
    resave: false,
    saveUninitialized: true,
}));

// Let's set a port
const port = 3000;

// Spin up the server
app.listen(port, () => {
    console.log('Listening, port ' + port);
});

We will also need to create a .env file (you can rename the .env.example if you are following along within the github repository):

SECRET=whatever-you-want
API_URL=http://localhost:3000
STEAM_API_KEY=your-steam-api-key # we will retrieve this later

You can run this code using (given that you named your application file index.js):

node index.js

If you get any errors at this point, make sure that all the packages are installed correctly.

Set Steam API key

To obtain player details (like account name and avatar), you will need to set up an API Key for your Steam account. I wrote another blog post that is available here, taking you through all the necessary steps. Add it to the .env file above.

Creating the primary route

To be able to access the sign-in functionality, we need to expose a few routes. Firstly, we will build the route that users will get redirected to from the front-end.

app.get('/api/v1/auth/steam', (req, res) => {
    res.statusCode = 302;
    res.setHeader(
        "Location",
        signIn.getUrl(process.env.API_URL + '/api/v1/auth/steam/return')
    )
    res.end();
});

This code initializes the sign in, and then redirects to our own route, which we will build next:

Build return route

app.get('/api/v1/auth/steam/return', async (req, res) => {
    res.setHeader('Content-Type', 'text/plain');
    try {
        let steamId = await signIn.verifyLogin(req.url);

        const steamid64 = steamId.getSteamID64();
        const response = await axios.get(`https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=${process.env.STEAM_API_KEY}&steamids=${steamid64}`)
        const { avatarfull, personaname } = response.data.response.players[0];

        req.session.user = {
            steamid64,
            avatarfull,
            personaname,
        }
        await req.session.save()
    
        res.redirect(process.env.API_URL);
    } catch (error) {
        console.error(error);
        return res.status(500).send('There was an error signing in.');
    }
});

A lot going on here. The important section (that verifies the sign in), is the line where we get tha authenticated user's steamId.

After this, we fetch typical info that applications display of the signed in user, namely their steam profile avatar, and their display name (personaname).

This is then saved to our session, which allows us to maintain the signed in state across requests. Like with the primary route, a redirect is present to another route:

Home route

app.get('/', (req, res) => {
    const { user } = req.session;
    res.status(200).send(user);
});

With this route, we are simply returning the data of the signed user (if they are signed in).

Connecting to the front-end

The ‘/api/v1/auth/steam’ route is the one we redirect users to from the front-end using a simple href:

<a href="http://localhost:3000/api/v1/auth/steam">Sign in</a>

Having added this code, start your server and navigate to said URL, and you should be met with the following familiar official Steam page:

Now, sign in using your own Steam account and you will be redirected to the main page, localhost:3000/, where you will be met with the following:

This is just the body of ‘req.session.user’ (see the ‘/’ route, where you can see the res.send()). From this JSON data you can get the user’s Steamname, avatar and their steamid64.

This example only serves as a simple setup for you to build upon. For example, a real website will probably have a database where user information is stored, therefore you would need to manipulate the JSON data after authentication and insert the necessary information into your database of choice.

If you have any questions, do not hesitate to get in touch, either by emailing me directly kevin@jkmholding.com, by adding me on discord, or by using any of the other methods of contact available on our contact page.

If you are interested in hiring us to create a project utilizing the Steam API, e.g., trading bots, gambling websites, skin trading websites, and more, head over to our services page to see what we can do.