Jump to content
McKay Development

New request limits? (429 error)


Recommended Posts

Posted (edited)

Is it just me or today something happend with rate limits again?

Trade confirmation on all of my bots goes right into 429 error, even though they use different IPs and accounts and it's no more than 4 trade per hour
Same with market confirmations.
I saw on the forum that getTimeOffset was strict before, but I never experienced something like this, hope it's temporary....

And I also have troubles with inventory loading...
On my PC if I load inventory from the browser everything seems ok, but on the same PC using a script I get 429 on the first request...
It used to be the same. Something is not right... I use edited version of inventory loading. Were there any changes in requests?

Edited by Nickers
Posted

I'm having the same issues with my bots.
I can also see that a lot of sites are struggling with trading bots while some have already adapted, likely need an update to steamcommunity package.

Posted

here is easy fix:

const request = require('request');
const SteamCommunity = require('steamcommunity');

let community = new SteamCommunity({
	request: request.defaults({
		headers: {
			'Accept-Encoding': 'gzip, deflate, br'
		}
	})
});

if you use proxy:

request: request.defaults({
	proxy: proxyUrl,
	headers: {
		'Accept-Encoding': 'gzip, deflate, br'
	}
})

 

This is not rate limiting. Steam's WAF now fingerprints the Accept-Encoding request header. The legacy request package (which node-steamcommunity uses internally with gzip: true) sends exactly Accept-Encoding: gzip, deflate — real browsers always include br as well. Steam now rejects the bot-like values outright:

Accept-Encoding sent Response
gzip, deflate (request lib default) 429
gzip 429
gzip, deflate, br 200
gzip, deflate, br, zstd 200

Same IP, same endpoint, seconds apart — only the header changes the outcome. api.steampowered.com is not affected.

Posted
1 hour ago, JVz said:

here is easy fix:

const request = require('request');
const SteamCommunity = require('steamcommunity');

let community = new SteamCommunity({
	request: request.defaults({
		headers: {
			'Accept-Encoding': 'gzip, deflate, br'
		}
	})
});

if you use proxy:

request: request.defaults({
	proxy: proxyUrl,
	headers: {
		'Accept-Encoding': 'gzip, deflate, br'
	}
})

 

This is not rate limiting. Steam's WAF now fingerprints the Accept-Encoding request header. The legacy request package (which node-steamcommunity uses internally with gzip: true) sends exactly Accept-Encoding: gzip, deflate — real browsers always include br as well. Steam now rejects the bot-like values outright:

Accept-Encoding sent Response
gzip, deflate (request lib default) 429
gzip 429
gzip, deflate, br 200
gzip, deflate, br, zstd 200

Same IP, same endpoint, seconds apart — only the header changes the outcome. api.steampowered.com is not affected.

This seems to be a part of the solution. The confirmations are working like 60-70% of the time now but for the other 30-40% error 429 is still getting returned.
Thank you for sharing though.

Posted
26 minutes ago, Devx09 said:

Yes, didn't have these 429's yesterday with the same Proxy setup. All proxies are residential.

do you call other api endpoints on same proxies? inventories, offerslist and so on

Posted (edited)
14 minutes ago, JVz said:

do you call other api endpoints on same proxies? inventories, offerslist and so on

Yes, I do. Using trade offer manager which uses steamcommunity with the new headers defined.
Endpoints like offerslist however don't seem to be returning 429's, only the confirmations endpoints do.
Are you not receiving any 429's yourself when trying to confirm offers?

Edited by Devx09
Posted

For me, this method has not changed anything at all. I consistently receive cookies from the steam-session, setCookies() in steamcommunity and tradeoffer-manager work stably, but as soon as I try to send an exchange from the bot or get a link to the exchange bot getTradeURL(), I get error 429

Works for me:

request: Request.defaults({
    proxy: proxy,
    headers: {
        'Accept-Encoding': 'deflate, br, zstd'
    }
})
Posted (edited)

Here is a cleaner version if you encounter problems.

Still not working %100, randomly works.

As on some steamcommunity versions, that method would cause a crash.

if (this._options.request) {
    return reject(new Error('SteamCommunity.login() is incompatible with node-steamcommunity v3\'s usage of \'request\'. If you need to specify a custom \'request\' instance (e.g. when using a proxy), use https://www.npmjs.com/package/steam-session directly to log onto Steam.'));
}
 

const SteamCommunity = require('steamcommunity');
 
const community = new SteamCommunity();
 
// Patch before confirmations — login doesn't use this.request
community.request = community.request.defaults({
headers: {
'Accept-Encoding': 'gzip, deflate, br'
}
});
 
Edited by Therepower
Posted

Thanks for the feedback guys!
 

On 7/10/2026 at 3:38 PM, JVz said:

here is easy fix:

const request = require('request');
const SteamCommunity = require('steamcommunity');

let community = new SteamCommunity({
	request: request.defaults({
		headers: {
			'Accept-Encoding': 'gzip, deflate, br'
		}
	})
});

This helped me with trade confirmations when testing, thanks!

Nothing works for inventory requests yet. I'll take a closer look at real site requests later.

Posted

do you have 100% success rate? it's still gives me rate limit from time to time

15 minutes ago, Nickers said:

Thanks for the feedback guys!
 

This helped me with trade confirmations when testing, thanks!

Nothing works for inventory requests yet. I'll take a closer look at real site requests later.

 

Posted
On 7/11/2026 at 10:42 AM, vindisel said:

For me, this method has not changed anything at all. I consistently receive cookies from the steam-session, setCookies() in steamcommunity and tradeoffer-manager work stably, but as soon as I try to send an exchange from the bot or get a link to the exchange bot getTradeURL(), I get error 429

Works for me:

request: Request.defaults({
    proxy: proxy,
    headers: {
        'Accept-Encoding': 'deflate, br, zstd'
    }
})



Error 429 appeared again, this entry fixed the situation, but idk for how long: 'Accept-Encoding': 'br, zstd'
 

Posted

This option also turned out to be quite working, for me it does not even require changing the Accept-Encoding, the key is to transfer Accept and sec-fetch-user.
 

headers: {
    //"User-Agent": "Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Mobile Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8",
    //"Accept-Encoding": "gzip, deflate, br, zstd",
    "Accept-Language": "en-US,en;q=0.9",
     "sec-ch-ua": "\"Chromium\";v=\"140\", \"Not=A?Brand\";v=\"24\", \"Google Chrome\";v=\"140\"",
    "sec-ch-ua-mobile": "?1",
     "sec-ch-ua-platform": "\"Android\"",
    "sec-fetch-dest": "document",
    "sec-fetch-mode": "navigate",
    "sec-fetch-site": "same-origin",
    "sec-fetch-user": "?1",
    "upgrade-insecure-requests": "1"
}
Posted

Hey guys.

 

I have asked gpt5.5 to fix it. (With the samples from this thread) And telling it that it needs to change the headers to prevent akamai WAF.

 

This was the set of headers that works for 95 percent of times:

 

const headers = {
      'Sec-Fetch-Dest': 'empty',
      'Sec-Fetch-Mode': 'cors',
      'Sec-Fetch-Site': 'same-origin',
    };

 

Although, some endpoints needed some more tuning. (E.g. getting partner details after creating an offer)

So right now, i use this to change header dynamically:

 

Quote
private static configureSteamRequestHeaders() {
    (Bot.community as any).onPreHttpRequest = (
      _requestID: number,
      _source: string,
      options: any,
      continueRequest: (err?: Error | null) => void,
    ) => {
      options.headers = {
        Accept:
          'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.9',
        'Cache-Control': 'no-cache',
        Pragma: 'no-cache',
        'Sec-Fetch-Dest': 'empty',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Site': 'same-origin',
        ...(options.headers  {}),
      };

      const url = String(options.url  options.uri  '');
      const method = String(options.method  'GET').toUpperCase();

      if (method === 'GET' && url.includes('/tradeoffer/new/')) {
        options.headers['Sec-Fetch-Dest'] = 'document';
        options.headers['Sec-Fetch-Mode'] = 'navigate';
        options.headers['Sec-Fetch-Site'] = 'none';
        options.headers['Upgrade-Insecure-Requests'] = '1';
      }

      if (
        url.includes('/tradeoffer/new/send') ||
        url.includes('/tradeoffer/new/partnerinventory/')
      ) {
        options.headers.Accept = 'application/json, text/javascript, */*; q=0.01';
        options.headers['X-Requested-With'] = 'XMLHttpRequest';
        options.headers['Sec-Fetch-Dest'] = 'empty';
        options.headers['Sec-Fetch-Mode'] = 'cors';
        options.headers['Sec-Fetch-Site'] = 'same-origin';
      }

      continueRequest(null);
      return true;
    };
  }

 

I have been using this for the past 36 hours and it is working fine.

 

Is there anything suspicious about this? Is there a ban risk? (I don't think so myself, but wanted to share it)

Posted
On 7/12/2026 at 8:38 PM, vindisel said:

'Accept-Encoding': 'br, zstd'

This still seems to work fine for me atm. But Steam seems to go through a bit of turbulence right now, so I catch stray 500's and 400's

 

3 hours ago, rahimi0151 said:

I have asked gpt5.5 to fix it.

I'm afraid it's specific Steam-related problem from recent site changes and GPT won't have that in it's training data.
Did it give any guesses on why this might work?

 

2 hours ago, JVz said:

There is always risk of getting banned with steam

Many years of being afraid for my normal trading accounts T ^ T

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...