Steam Login in Unity with OpenID (no email, no password)
Steam login is the odd one out. It's not OAuth, it has no client secret, and it will never tell you the player's email. For a PC game shipping on Steam, though, it's the login players expect — they're already signed in, and one click puts them in your game. This guide covers the OpenID flow, the SteamID that comes back, and the profile-data step people miss.
Steam speaks OpenID, not OAuth
Every other provider in this series uses OAuth 2.0. Steam uses OpenID 2.0, an older standard, and the difference changes what you get. There's no access_token, no refresh_token, and no consent screen asking for scopes. Steam's only job is to prove which account is signing in, and it answers with one thing: a SteamID64, the 17-digit number that uniquely identifies the account (for example, 76561198000000000).
That's it. No email — not a hidden one, not an unverified one, none. If your account system assumes every player arrives with an email address, Steam is where that assumption falls apart. The right move is to treat the SteamID as the player's identity and never look for an email at all.
What you need (and don't) to set it up
Because OpenID has no client secret, there's nothing sensitive to keep out of your build here — which is a nice change. There's one optional piece worth adding: a Steam Web API key.
OpenID gives you the verified SteamID and stops. The player's display name (their "persona name") and avatar live behind Steam's Web API. To show them in your game, Oathwall calls GetPlayerSummaries on your behalf, and that call needs an API key.
- Go to steamcommunity.com/dev/apikey and register a key for your domain.
- In the Oathwall dashboard, add Steam as a provider and paste the Web API key.
- Confirm the return URL on your app points at Oathwall's callback:
https://sso.oathwall.com/auth/callback
Skip the API key and login still works — you just get the bare SteamID with a null name and avatar. Add it and each player comes back with their Steam persona name and picture filled in. Either way, the key stays server-side in the dashboard, never in your build.
Wire it up in Unity
Client-side, Steam is the same one-liner as the rest:
using PixitGames.SSOLoginKit;
public class LoginManager : SsoClientBase
{
// OpenID flow — no secret, no email.
// You get a verified SteamID back.
public void OnSteamButton() => StartLogin("steam");
protected override void OnLoginSuccess(LoginResult user)
{
// user.id is the SteamID-backed identity key.
// user.email will be null — that's expected.
LoadOrCreatePlayer(user.id);
}
}
StartLogin("steam") opens Steam's sign-in page in the system browser. Behind the scenes, Oathwall verifies the OpenID assertion against Steam's own endpoint — it re-checks the response with Steam so a forged claimed_id can't slip through — then returns the confirmed identity. user.email is null by design; lean on user.id for everything that needs to be stable.
The gotchas worth knowing
Never fake an email from the SteamID. It's tempting to synthesize something like [email protected] to fit a schema that expects an email. Don't. If you ever add email-based account matching for another provider, those fake addresses can collide or let one account impersonate another. Keep the email field genuinely empty for Steam players.
The display name is not an identity. Persona names change and aren't unique — two players can share one. Show the persona name in the UI, but key saves, purchases, and bans to the SteamID.
It's a PC login in practice. Nothing stops the browser flow from running elsewhere, but Steam sign-in belongs on desktop builds, where the player already has a Steam session. If you're shipping cross-platform, pair Steam on PC with Sign in with Apple on iOS and Google on Android, all through the same login class.
Because Steam accounts and, say, Google accounts are separate identities, account linking matters if a player uses both — the Unity authentication guide covers how one player can attach multiple providers to a single Oathwall identity. And if the OpenID-vs-OAuth distinction is new to you, what single sign-on means sets the context.
Oathwall is available on the Unity Asset Store, and its free plan is enough to wire up and test Steam login end to end before launch.
Frequently asked questions
- Does Steam login give me the player's email?
- No. Steam authenticates through OpenID 2.0 and never returns an email address, verified or otherwise. You get a 64-bit SteamID that uniquely identifies the account. Build your player system around that id, not around email.
- Do I need Steamworks or a client secret for Steam login?
- No client secret — OpenID doesn't use one. You don't need the full Steamworks SDK for sign-in either. To pull the player's display name and avatar, Oathwall uses a Steam Web API key, which you generate once and paste into the dashboard; it stays server-side.
- What is a SteamID64 and how should I use it?
- It's the 17-digit number that uniquely identifies a Steam account, like 76561198000000000. Oathwall verifies it against Steam's OpenID endpoint and returns it as the player identity. Use it as the stable key for save data and entitlements.
- Can players use Steam login on mobile or WebGL?
- The flow runs in the system browser, so technically yes — the player signs in on Steam's web page. In practice Steam login is used almost entirely by PC builds, since that's where players already have a Steam session and expect it.
- Why do I only get a SteamID and not a name?
- OpenID's job ends at proving which account signed in — that's the SteamID. The display name and avatar come from a separate Steam Web API call. Without an API key configured, Oathwall returns just the verified SteamID; with one, it adds the persona name and avatar.