I had some very useful feedback from a Reddit mod from r/gamingsuggestions who talked about the lack of trust around signing in with Steam on a new site, especially when Steam accounts are such high-value assets.
I get it.
My library has, for instance, 221 games in it (and many regrettable $30 CS:GO AK-47 skin purchases). It would absolutely suck to lose it all to some Namecheap-hosted hacker I imagine living in the Balkans.
Your next obsession is waiting.
Let us scan your Steam library and find what you've been missing.
Find Hidden GemsSo here's the deal, bucko.
We use Steam OAuth, which is documented extensively on Steamworks.
Valve says: "OAuth allows partner sites and applications on embedded platforms to perform certain operations on behalf of authenticated Steam users in a secure manner."
All we use the login step for is seeing what you own, what you like to play, and what our algorithm should show you. You're free to use NGF quick mode, but Steam mode actually lets us personalize the experience.
To give people peace of mind, here's a deep look at our practices and how OAuth actually works:
How Steam Authentication Actually Works
When you click "Get Pick" on Next Game Finder's smart tab, here's what happens:
- You get redirected to steamcommunity.com — Steam's official login page, not ours
- You enter your password on Valve's servers — your credentials never reach NGF
- Steam generates a signed token — this proves you authorized the connection
- You're sent back to NGF with that token — we validate it server-to-server
This is OpenID 2.0 authentication. Same protocol securing Steam logins since 2007. Nearly two decades of proven architecture.
Your password never touches our servers. That's not how OpenID works.
Asking for Steam credentials directly would actually violate Steam's API Terms of Use.
What Data We Can Actually See
| Data Type | What NGF Gets | What NGF Doesn't Get |
|---|---|---|
| Identity | SteamID (64-bit identifier), Display name, Profile URL | Email address, Real name (unless public), Password |
| Visuals | Avatar images (all sizes) | N/A |
| Status | Online/offline state, Last logoff time | Friends list, Chat logs |
| Gaming | Game library (if public), Playtime (if public) | Purchase history, Wishlist, Inventory items |
| Financial | Nothing | Payment methods, Wallet balance, Transaction history |
| Account | Nothing | Security settings, Phone number, API keys |
It's purely read-only access to public information already visible on your Steam profile. Same data anyone can see by visiting your profile while logged out.
What We Cannot Do (By Design)
These aren't promises. They're hard-coded limitations of Steam's authentication protocol:
Account Modification
- ❌ Cannot access your password
- ❌ Cannot change account settings
- ❌ Cannot modify security preferences
- ❌ Cannot add/remove games from library
Financial Actions
- ❌ Cannot make purchases
- ❌ Cannot access payment methods
- ❌ Cannot view transaction history
- ❌ Cannot modify Steam Wallet
Social & Trading
- ❌ Cannot send messages
- ❌ Cannot initiate trades
- ❌ Cannot access inventory (without separate OAuth grant)
- ❌ Cannot modify friends list
Data Access
- ❌ Cannot access email address (Steam doesn't expose this)
- ❌ Cannot read private profile data
- ❌ Cannot access wishlist
- ❌ Cannot view family sharing settings
If your profile is private? We get your SteamID and display name. Nothing else. Recommendations won't be personalized, but your account stays locked down.
Sites Already Using This System
You've probably used Steam OpenID before:
| Site | Purpose | Users |
|---|---|---|
| SteamDB | Price tracking, game database | 132M+ monthly active |
| IsThereAnyDeal | Price alerts, deal tracking | Millions |
| Backpack.tf | TF2 trading marketplace | Active since 2012 |
| LOOT.Farm | CS:GO/DOTA2 skin trading | High volume |
| CSGOLounge | Betting & trading (historical) | Massive user base |
SteamDB's official FAQ states: "It is completely safe to login to SteamDB because we use Steam's official OpenID provider. The only information we receive is your public SteamID, not your username or password."
Gaming communities have used Steam OpenID for nearly 20 years without systemic security breaches related to the authentication protocol itself.
Authentication Security Comparison
| Method | How It Works | Risk Level | Used By |
|---|---|---|---|
| Steam OpenID | Redirect to Steam, no credentials shared | ✅ Low - Industry standard | NGF, SteamDB, ITAD, trading sites |
| Username/Password Form | Enter credentials on 3rd party site | ❌ Critical - Violates Steam TOS | Illegal, phishing sites |
| Manual SteamID Entry | User types their ID manually | ⚠️ Medium - No verification | Some older tools |
| API Key Sharing | User gives site their private key | ❌ High - Full account access | Scam sites |
Why This Is The Only Approved Method
Valve's API Terms of Use explicitly prohibit asking users to enter Steam credentials on external websites.
If NGF had a form that said "Enter your Steam username and password," that would trigger:
- Immediate API access revocation
- Potential legal action from Valve
- Violation of Terms of Service
OpenID exists specifically because Valve recognized game services need identity verification without security risks. It's their officially sanctioned solution.
The alternative? Asking you to manually type your SteamID, hoping you got it right, with no way to verify you actually own that account.
Worse UX. Less secure.
How To Revoke Access Anytime
You control the connection completely:
- Go to: steamcommunity.com/dev/apikey
- Action: Revoke the key → Takes 10 seconds → NGF loses all access immediately
This isn't a special feature we built. It's baked into Steam's API infrastructure. Valve gives users the control. We're operating within that system.
Request Type Breakdown
Every interaction NGF has with Steam's API:
| Request Type | What It Does | Can Modify? |
|---|---|---|
| GET /ISteamUser/GetPlayerSummaries | Fetches basic profile info | ❌ No |
| GET /IPlayerService/GetOwnedGames | Retrieves game library | ❌ No |
| GET /ISteamUser/GetFriendList | Gets friends (if public) | ❌ No |
| GET /IPlayerService/GetRecentlyPlayedGames | Shows recent activity | ❌ No |
All read-only GET requests. Zero POST, PUT, or DELETE operations. Zero write access to your account.
Why Read-Only Actually Means Something
Think of it like this:
| Scenario | Access Level | What's Possible |
|---|---|---|
| Viewing someone's public Steam profile | What OpenID gives us | See games, playtime, public info |
| Having their password | Complete account control | Purchase, trade, delete, modify everything |
| Having their API key | Elevated access | Make trades, access private data |
OpenID gives us the first with cryptographic proof you authorized it. It never gives us the second or third.
The signed token acts as temporary, read-only credentials.
"On your behalf" means "asking Steam to show us your public game data."
The Technical Reality
OpenID 2.0 Timeline:
- 2007: Protocol launched
- 2014: Deprecated in favor of OpenID Connect
- 2025: Still used by Steam and thousands of integrations
But older doesn't mean insecure.
Protocol Strengths:
- ✅ Signed tokens prevent forgery
- ✅ Server-to-server validation
- ✅ Redirect-based flows keep credentials on Steam's domain
- ✅ No credential sharing with third parties
Real Security Risks:
| Threat | Source | OpenID Vulnerability? |
|---|---|---|
| Phishing attacks | Fake Steam login pages | ❌ No - User error |
| API key theft | Users sharing private keys | ❌ No - Separate system |
| Account compromises | Password reuse, weak passwords | ❌ No - User security |
| Token theft | Sites storing tokens insecurely | ⚠️ Implementation issue |
| Protocol exploit | OpenID 2.0 vulnerability | ✅ Well-documented, rare |
The protocol itself does its job. None of the documented vulnerabilities allow a properly-implemented third-party site to extract passwords or gain unauthorized account access.
Steam chose to stick with OpenID 2.0 because millions of existing integrations depend on it and the security model still works. Breaking that ecosystem for a newer protocol version wouldn't improve security. It would just create risk.
So, Yeah, NGF Is Safe and Secure
It's easy for me to promise not to steal your Steam account because it's impossible for me to do that anyway. Plus, my backlog is truly painful to look at. I've got more games than time with this and a full-time marketing day job. I also already own all the Oblivion horse armor DLCs.
Any questions?