steambot

Step-by-Step Guide to Setting Up Steam Desktop Authenticator for a Steam Bot

Kevin Rasmusson

5 min read
Step-by-Step Guide to Setting Up Steam Desktop Authenticator for a Steam Bot

When building an application utilizing a Steam Bot, e.g., trading applications or gambling websites not using peer-to-peer trading for deposits/withdraws, you will need dedicated Steam accounts that will be used for this purpose. These accounts, which will have their trading and therefore confirmation of trades automated, must still have a mobile authenticator set up to avoid delays with their trading. Seeing as setting up a mobile authenticator on your phone hides away some files you need to access to set the bots up for trading, a program called Steam Desktop Authenticator is commonly used for this purpose.

Prerequisites

Firstly, you will already need a Steam account. Seeing as the registration process is relatively straightforward, I will not be addressing this in the article. I typically use a proton email address (remember to verify it with a real email to not lock your inbox). Furthermore, if the intention is to trade with the account, it might be a good idea to add $5 to the account balance to remove its restriction. I do a more detailed walkthrough of this in my guide on adding a Steam Web API key to a Steam account (something that you should also do for your bot account after we are done setting up Steam Desktop Authenticator).

Since the application is Windows only, you'll also need either a computer running Windows, or run it in a VM. I went with the first option, but whatever floats the boat for you work.

Step 1 - Download the legit version of Steam Desktop Authenticator

Seeing as Steam Desktop Authenticator handles incredibly sensitive data which potentially allows a malicious actor to automatically send trades on your account's behalf, there are several phishing sites and actors that try to get you to download a "fake" version of Steam Desktop Authenticator, to access your Steam account's credentials and probably empty the inventory.

As such, this is the only legit link to the official GitHub repo maintained by Jessecar96 (the creator of the program). However, the latest official release (1.0.13) contains a bug that stops users from being able to add accounts correctly. Therefore, we are going to download the 1.0.14 pre-release version. Click and download the according zip file:

Step 2 - Add the bot account

After downloading and unzipping the folder, it's time to start the Steam Desktop Authenticator by clicking the "Steam Desktop Authenticator.exe" file. Assuming it is your first time using the application to set up a SteamBot, click "This is my first time and I just want to sign into my Steam Account(s)" when prompted:

Afterward, the application will open, whereupon you will press "Setup New Account" in the top left corner. When prompted to enter login details, enter the username and password of the Steam account that you wish to use as a SteamBot.

Step 3 - Save the revocation code

After signing in, you will be prompted to save your revocation code. This is crucial if someone ever obtains unauthorized access to your Steam account (the risk of which is increased substantially by using it as a SteamBot with sign-in details used in the operation of a web application). You will be prompted to re-enter the revocation code too, to ensure that it has been written down correctly.

Step 4 - SMS code sent to your "phone" (email actually)

Even though Steam Desktop Authenticator asks you to enter the code sent via SMS, the code is sent to your email. This is a relic from past versions of the applications where a phone number was required to set up the mobile authenticator, which curiously is not the case anymore. The email should look something like this:

Step 5 - Re-enter revocation code

As a last step of the setup process, you will be asked to enter the revocation code as specified in Step 3. As mentioned before, this is to ensure that you wrote it down, as it is in your best interest to have this information if you ever need support to get your account back from a malicious actor.

Step 6 - Write down .maFile information

There we go! Now, with a mobile authenticator set up, we can obtain the information we need to automate trading with the SteamBots through code. The fields we are looking for are called sharedSecret (used for automatically generating the 2fa code required to sign in) and identitySecret (used to automate confirmation of trades where the bot has items to give.

To find said properties, you need to navigate to the folder holding all Steam Desktop Authenticator files and navigate to the maFiles subfolder:

If you have multiple accounts (like is the case here), the format is {BOT_STEAMID64}.maFile, so go ahead and open the one that's relevant for the bot account you are setting up right now. Use https://steamid.io if you need to obtain the account's steamid64.

Opening the file, it should start with:

{"shared_secret":"XXXX",...

If not, and the content looks random, the file is likely encrypted. You can turn off encryption in the app under "Manage Encryption", in the top right corner.

Closer to the middle of the file's object you will find 

"identity_secret":"XXXX"

which is the second value you will need to automate trading.

Next steps

If you are looking to develop SteamBots with trading capabilities yourself, and you enjoy developing with NodeJS, I suggest you check out McKay's tradeoffer manager and all of his other packages.

If you need help setting up, building, developing, and deploying applications utilizing SteamBots, do not hesitate to reach out either via email to kevin@jkmholding.com or via discord to kevalane.