In the game client, call ISteamUser::GetAuthTicketForWebApi (passing the identity string of your backend) to generate an auth ticket, then hex-encode it and send it to your server
From your secure server, GET https://partner.steam-api.com/ISteamUserAuth/AuthenticateUserTicket/v1/ passing the appid, key (publisher API key), and ticket parameters
Parse the response to obtain the SteamID (64-bit) and verify ownersteamid if you need to confirm the licence owner vs. the player
Cache the validated SteamID for the session duration; re-validate if the session is long-lived
Cancel the auth ticket on the client when the session ends via ISteamUser::CancelAuthTicket
Known gotchas
GetAuthTicketForWebApi is distinct from the older GetAuthSessionTicket; the web-API variant ties the ticket to a named identity string and is required for backend validation via AuthenticateUserTicket
AuthenticateUserTicket must be called from a secure server using your publisher API key, not a standard web API key, and not from the game client
Each ticket is single-use and time-limited; do not reuse a ticket across multiple validation calls
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp