Dr. McKay

steam-user does not work in the browser.

No, nothing will work in the browser. Same-origin policy will block you. Although, in theory you could perform a CM login in the browser since that's all websocket based.

What version of steam-store?

steam-user does not work in the browser.

No such method exists.

steam-user is a Node.js module, not a bun module.

This should work. What is the value of token that you're actually receiving?

ISteamEconomy/GetAssetClassInfo includes owner_descriptions, which will tell you when an item becomes tradable.

This is great news, I'm glad Valve is no longer locking a security feature behind a phone number. It appears that steam-user and steamcommunity both just work without a phone number. When you'd normally receive a code via SMS, you get the code sent to your email instead.

No, this isn't currently possible.

Probably not. Historically, logging into the client after verifying your email is what auto-enabled Steam Guard and there's no way around that.

classid and instanceid are not foolproof ways to match item instances. I'm not aware of any way to match an item from the market to an item in your inventory.

I refactored the WebAPI client to use a different HttpClient so that I could add a timeout to it, but then forgot why I refactored it in the first place. 5.0.4 adds the timeout, which should fix the issue. Sharing the CM list across multiple instances wouldn't be a bad idea, but it's not something I've got time for right now.

5.0.3 should fix this for you.

I believe I found the bug. Run npm update again and make sure that you end up with steam-session 1.7.1 or later. On Linux, you can do npm ls -a | grep steam-session to check your steam-session version.

There's still a rate limit. You won't be banned, but your IP will be throttled if you request inventories too quickly.

5.0.2 is up. I don't really expect it to change things, but it might. I did double-check and steam-user is still doing exactly the same thing the client is for getting a web session.

I've had a number of people report similar things, I'll look into it when I can. I don't have any special insight into how the Steam backend works beyond what traffic gets exchanged with the official Steam client.

Yes.

If you use a refresh token, then you don't need to provide a new 2FA code. This is what the Steam client does when you check the "remember my password" box.

What version of steam-user?

Sounds like whatever you've got isn't a valid refresh token. Where did you get it?

https://steamerrors.com/87 AccountLoginDeniedThrottle = "login attempt failed, try to throttle response to possible attacker". I don't know exactly what that means, but given the similarity to AccountLogonDenied (which is the code used when you need to provide an email code), it seems likely that it happens if you try to log on too many times without providing a valid email code. Yes, this is expected behavior. Machine auth tokens are only issued for accounts that are using email Steam Guard.

I'm not sure what circumstances automatically enable email Steam Guard. If you already have a valid refresh token, then yeah, you can use steam-session to get new cookies.

There's no reason not to.