Nickers Posted Friday at 06:43 AM Report Posted Friday at 06:43 AM (edited) Is it just me or today something happend with rate limits again? Trade confirmation on all of my bots goes right into 429 error, even though they use different IPs and accounts and it's no more than 4 trade per hour Same with market confirmations. I saw on the forum that getTimeOffset was strict before, but I never experienced something like this, hope it's temporary.... And I also have troubles with inventory loading... On my PC if I load inventory from the browser everything seems ok, but on the same PC using a script I get 429 on the first request... It used to be the same. Something is not right... I use edited version of inventory loading. Were there any changes in requests? Edited Friday at 07:15 AM by Nickers Quote
Devx09 Posted Friday at 09:50 AM Report Posted Friday at 09:50 AM I'm having the same issues with my bots. I can also see that a lot of sites are struggling with trading bots while some have already adapted, likely need an update to steamcommunity package. Quote
JVz Posted Friday at 10:38 AM Report Posted Friday at 10:38 AM here is easy fix: const request = require('request'); const SteamCommunity = require('steamcommunity'); let community = new SteamCommunity({ request: request.defaults({ headers: { 'Accept-Encoding': 'gzip, deflate, br' } }) }); if you use proxy: request: request.defaults({ proxy: proxyUrl, headers: { 'Accept-Encoding': 'gzip, deflate, br' } }) This is not rate limiting. Steam's WAF now fingerprints the Accept-Encoding request header. The legacy request package (which node-steamcommunity uses internally with gzip: true) sends exactly Accept-Encoding: gzip, deflate — real browsers always include br as well. Steam now rejects the bot-like values outright: Accept-Encoding sent Response gzip, deflate (request lib default) 429 gzip 429 gzip, deflate, br 200 gzip, deflate, br, zstd 200 Same IP, same endpoint, seconds apart — only the header changes the outcome. api.steampowered.com is not affected. n1del, Myp, Devx09 and 5 others 8 Quote
Devx09 Posted Friday at 12:13 PM Report Posted Friday at 12:13 PM 1 hour ago, JVz said: here is easy fix: const request = require('request'); const SteamCommunity = require('steamcommunity'); let community = new SteamCommunity({ request: request.defaults({ headers: { 'Accept-Encoding': 'gzip, deflate, br' } }) }); if you use proxy: request: request.defaults({ proxy: proxyUrl, headers: { 'Accept-Encoding': 'gzip, deflate, br' } }) This is not rate limiting. Steam's WAF now fingerprints the Accept-Encoding request header. The legacy request package (which node-steamcommunity uses internally with gzip: true) sends exactly Accept-Encoding: gzip, deflate — real browsers always include br as well. Steam now rejects the bot-like values outright: Accept-Encoding sent Response gzip, deflate (request lib default) 429 gzip 429 gzip, deflate, br 200 gzip, deflate, br, zstd 200 Same IP, same endpoint, seconds apart — only the header changes the outcome. api.steampowered.com is not affected. This seems to be a part of the solution. The confirmations are working like 60-70% of the time now but for the other 30-40% error 429 is still getting returned. Thank you for sharing though. n1del and Leon 2 Quote
JVz Posted Friday at 03:56 PM Report Posted Friday at 03:56 PM do you use 1 account per 1 proxy? Quote
Devx09 Posted Friday at 04:43 PM Report Posted Friday at 04:43 PM 46 minutes ago, JVz said: do you use 1 account per 1 proxy? Yes, didn't have these 429's yesterday with the same Proxy setup. All proxies are residential. Quote
JVz Posted Friday at 05:11 PM Report Posted Friday at 05:11 PM 26 minutes ago, Devx09 said: Yes, didn't have these 429's yesterday with the same Proxy setup. All proxies are residential. do you call other api endpoints on same proxies? inventories, offerslist and so on Quote
Devx09 Posted Friday at 05:18 PM Report Posted Friday at 05:18 PM (edited) 14 minutes ago, JVz said: do you call other api endpoints on same proxies? inventories, offerslist and so on Yes, I do. Using trade offer manager which uses steamcommunity with the new headers defined. Endpoints like offerslist however don't seem to be returning 429's, only the confirmations endpoints do. Are you not receiving any 429's yourself when trying to confirm offers? Edited Friday at 05:25 PM by Devx09 Quote
JVz Posted Friday at 05:54 PM Report Posted Friday at 05:54 PM receiving ofc. Trying to find the way to minimize it Quote
vindisel Posted Saturday at 03:42 AM Report Posted Saturday at 03:42 AM For me, this method has not changed anything at all. I consistently receive cookies from the steam-session, setCookies() in steamcommunity and tradeoffer-manager work stably, but as soon as I try to send an exchange from the bot or get a link to the exchange bot getTradeURL(), I get error 429 Works for me: request: Request.defaults({ proxy: proxy, headers: { 'Accept-Encoding': 'deflate, br, zstd' } }) Gues_t and Nickers 2 Quote
Therepower Posted Saturday at 03:22 PM Report Posted Saturday at 03:22 PM (edited) Here is a cleaner version if you encounter problems. Still not working %100, randomly works. As on some steamcommunity versions, that method would cause a crash. if (this._options.request) { return reject(new Error('SteamCommunity.login() is incompatible with node-steamcommunity v3\'s usage of \'request\'. If you need to specify a custom \'request\' instance (e.g. when using a proxy), use https://www.npmjs.com/package/steam-session directly to log onto Steam.')); } const SteamCommunity = require('steamcommunity'); const community = new SteamCommunity(); // Patch before confirmations — login doesn't use this.request community.request = community.request.defaults({ headers: { 'Accept-Encoding': 'gzip, deflate, br' } }); Edited Saturday at 03:25 PM by Therepower Nickers and Myp 2 Quote
Nickers Posted Sunday at 02:15 PM Author Report Posted Sunday at 02:15 PM Thanks for the feedback guys! On 7/10/2026 at 3:38 PM, JVz said: here is easy fix: const request = require('request'); const SteamCommunity = require('steamcommunity'); let community = new SteamCommunity({ request: request.defaults({ headers: { 'Accept-Encoding': 'gzip, deflate, br' } }) }); This helped me with trade confirmations when testing, thanks! Nothing works for inventory requests yet. I'll take a closer look at real site requests later. Quote
JVz Posted Sunday at 02:31 PM Report Posted Sunday at 02:31 PM do you have 100% success rate? it's still gives me rate limit from time to time 15 minutes ago, Nickers said: Thanks for the feedback guys! This helped me with trade confirmations when testing, thanks! Nothing works for inventory requests yet. I'll take a closer look at real site requests later. Quote
Nickers Posted Sunday at 03:33 PM Author Report Posted Sunday at 03:33 PM 59 minutes ago, JVz said: do you have 100% success rate? Nope, I test requests one by one and still got a few errors Quote
vindisel Posted Sunday at 03:38 PM Report Posted Sunday at 03:38 PM On 7/11/2026 at 10:42 AM, vindisel said: For me, this method has not changed anything at all. I consistently receive cookies from the steam-session, setCookies() in steamcommunity and tradeoffer-manager work stably, but as soon as I try to send an exchange from the bot or get a link to the exchange bot getTradeURL(), I get error 429 Works for me: request: Request.defaults({ proxy: proxy, headers: { 'Accept-Encoding': 'deflate, br, zstd' } }) Error 429 appeared again, this entry fixed the situation, but idk for how long: 'Accept-Encoding': 'br, zstd' Nickers 1 Quote
Nickers Posted Sunday at 06:09 PM Author Report Posted Sunday at 06:09 PM 2 hours ago, vindisel said: 'Accept-Encoding': 'br, zstd' This helped me with inventory requests, thanks vindisel 1 Quote
jerrey Posted yesterday at 03:09 AM Report Posted yesterday at 03:09 AM (edited) thanks so much Edited yesterday at 03:14 AM by jerrey Quote
vindisel Posted yesterday at 09:19 AM Report Posted yesterday at 09:19 AM It's absolutely crazy, every time i delete one parameter, everything starts to work. What is the logic behind this? headers: { 'Accept-Encoding': 'zstd', // 🤪 }, Quote
vindisel Posted yesterday at 10:14 AM Report Posted yesterday at 10:14 AM This option also turned out to be quite working, for me it does not even require changing the Accept-Encoding, the key is to transfer Accept and sec-fetch-user. headers: { //"User-Agent": "Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Mobile Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8", //"Accept-Encoding": "gzip, deflate, br, zstd", "Accept-Language": "en-US,en;q=0.9", "sec-ch-ua": "\"Chromium\";v=\"140\", \"Not=A?Brand\";v=\"24\", \"Google Chrome\";v=\"140\"", "sec-ch-ua-mobile": "?1", "sec-ch-ua-platform": "\"Android\"", "sec-fetch-dest": "document", "sec-fetch-mode": "navigate", "sec-fetch-site": "same-origin", "sec-fetch-user": "?1", "upgrade-insecure-requests": "1" } Impressive and Myp 2 Quote
rahimi0151 Posted yesterday at 03:15 PM Report Posted yesterday at 03:15 PM Hey guys. I have asked gpt5.5 to fix it. (With the samples from this thread) And telling it that it needs to change the headers to prevent akamai WAF. This was the set of headers that works for 95 percent of times: const headers = { 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', }; Although, some endpoints needed some more tuning. (E.g. getting partner details after creating an offer) So right now, i use this to change header dynamically: Quote private static configureSteamRequestHeaders() { (Bot.community as any).onPreHttpRequest = ( _requestID: number, _source: string, options: any, continueRequest: (err?: Error | null) => void, ) => { options.headers = { Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.9', 'Cache-Control': 'no-cache', Pragma: 'no-cache', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Site': 'same-origin', ...(options.headers {}), }; const url = String(options.url options.uri ''); const method = String(options.method 'GET').toUpperCase(); if (method === 'GET' && url.includes('/tradeoffer/new/')) { options.headers['Sec-Fetch-Dest'] = 'document'; options.headers['Sec-Fetch-Mode'] = 'navigate'; options.headers['Sec-Fetch-Site'] = 'none'; options.headers['Upgrade-Insecure-Requests'] = '1'; } if ( url.includes('/tradeoffer/new/send') || url.includes('/tradeoffer/new/partnerinventory/') ) { options.headers.Accept = 'application/json, text/javascript, */*; q=0.01'; options.headers['X-Requested-With'] = 'XMLHttpRequest'; options.headers['Sec-Fetch-Dest'] = 'empty'; options.headers['Sec-Fetch-Mode'] = 'cors'; options.headers['Sec-Fetch-Site'] = 'same-origin'; } continueRequest(null); return true; }; } I have been using this for the past 36 hours and it is working fine. Is there anything suspicious about this? Is there a ban risk? (I don't think so myself, but wanted to share it) Quote
JVz Posted yesterday at 03:59 PM Report Posted yesterday at 03:59 PM there is always risk of getting banned with steam Quote
Nickers Posted yesterday at 06:25 PM Author Report Posted yesterday at 06:25 PM On 7/12/2026 at 8:38 PM, vindisel said: 'Accept-Encoding': 'br, zstd' This still seems to work fine for me atm. But Steam seems to go through a bit of turbulence right now, so I catch stray 500's and 400's 3 hours ago, rahimi0151 said: I have asked gpt5.5 to fix it. I'm afraid it's specific Steam-related problem from recent site changes and GPT won't have that in it's training data. Did it give any guesses on why this might work? 2 hours ago, JVz said: There is always risk of getting banned with steam Many years of being afraid for my normal trading accounts T ^ T Quote
4049_1572836826 Posted 20 hours ago Report Posted 20 hours ago (edited) Something big comming 🤫 - steam has new cookies bm_sv and ak_bmsc Quote Used by Akamai Botman Manager to distinguish between human-generated web requests and automated ones, such as those from bots. Used to store information about the web server that is serving the website. Edited 20 hours ago by 4049_1572836826 Nickers 1 Quote
skr1pt Posted 10 hours ago Report Posted 10 hours ago 9 hours ago, 4049_1572836826 said: Something big comming 🤫 - steam has new cookies bm_sv and ak_bmsc steam using this cookies few years) dont panic Nickers and n1del 2 Quote
4049_1572836826 Posted 1 hour ago Report Posted 1 hour ago 9 hours ago, skr1pt said: steam using this cookies few years) dont panic 😵💫 I was panicking 😅 but thanks for the clarification. This cookie new for me. I've never seen it in cookies since yesterday. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.