Articles on: Account
This article is also available in:

What is API-scam

API Scam is a form of fraud that can occur on the Steam platform.


It involves exploiting Steam security vulnerabilities and users’ lack of awareness to trick them into giving away their in-game items.


The Steam API key, which can be generated for any Steam account, allows managing trade offers but cannot complete trades by itself — completing a trade always requires a Steam Guard Mobile Token.


How API Scam Works


  1. A Steam user (often lured by an attractive or unrealistic trade offer) visits a website pretending to be an official service or imitating another site.
  2. They are redirected to a fake Steam login page where they enter their login credentials and Steam Guard Mobile code.
  3. Once entered, scammers gain access to the user’s account by adding their own API key.
  4. The Steam API key can be obtained on a special page after logging into the Steam account.
  5. With the API key, scammers run an automated script that monitors all incoming trade offers.
  6. When a new offer appears, the script reads its details and creates a fake trade offer from an account that looks visually similar to the original intended trade partner.
  7. The original trade offer is automatically canceled, and the fake offer is sent to the user.
  8. When the user accepts the fake offer using their Steam Guard Mobile Token, they unknowingly send their items to the scammers.


⚠️ Important: In the Incoming Trade Offer History, you may notice two entries: The real offer will show as “Trade Declined (date & time) and The fake offer will show as “Trade Accepted (date & time)”



How to Spot API Scam


Before accepting a trade offer using Steam Guard Mobile Token, check the following:


  • Verify the profile details of the sender (nickname, avatar, etc.)
  • Compare the Steam level — fraudulent accounts often have mismatched levels
  • Check the profile name history: click on the sender’s avatar or name in the trade offer, then click the arrow next to the name to view previous nicknames
  • Check the account creation date of the sender — this cannot be changed and is a reliable authenticity indicator


How to Protect Yourself from API Scam


  1. Go to Steam API Key Management and revoke your Steam Web API key by clicking “Revoke my Steam Web API key”.
  2. If the key reappears, check your browser and devices for malware.
  3. Revoke access for all other devices logged into your account: Steam Two-Factor Management
  4. Check for other account changes, such as email address updates.
  5. Change your Steam account password. If the same password is used on other websites, change it there as well.
  6. After completing all steps, ensure that a new API key has not been created.
  7. If you use Steam inventory plugins or extensions, verify that they do not generate an API key automatically.


⚠️ Tip: Before every trade, check that your account does not have a Steam Web API key. This simple step significantly increases the security of your trades.

Updated on: 13/11/2025