The WebAPI Token System
We now offer a feature on CSGORoll that allows for faster transactions - i.e. buying and selling skins - for our users, even when player inventories are at a critical status. To enjoy this feature to its fullest, we require your Steam WebAPI Token , which we then use to track your trading history using our API tool.
The WebAPI Token is commonly seen as sensitive information, and we can understand that you may have read some myths and misconceptions online that might stop you from giving it to us. However, you can rest assured that it’s absolutely safe to give CSGORoll your WebAPI Token - and to put your mind at ease, you can read some commonly asked questions below to learn more about WebAPI Tokens and how your information is kept secure.
What are the main things to know about WebAPI Tokens?
First and foremost, CSGORoll staff members will never ask you for your WebAPI Token! If anyone at all messages you asking for it, ignore them and report them to us immediately. You might have read online that if someone has your WebAPI Token they can control your account, change your password, or accept or send trade offers from your account. While this is absolutely not the case (and we’ll discuss this further down), your WebAPI Token is private information that should only be shared with us should you want to speed up your transactions.
Another thing to note is that you should never revoke your WebAPI Token during a P2P trade on CSGORoll. By doing so, the trade will be forfeited… so it’s best to wait until after any trades are completed (unless there’s something suspicious going on).
Why does CSGORoll need my WebAPI Token anyway?
A WebAPI Token can be used for a myriad of actions… but CSGORoll strictly uses it for tracking P2P trades. We do this so we can ensure all P2P trades run as smoothly as possible; the WebAPI Token allows us to look at the status of any trade created, and update the trade’s progress on our end throughout the transaction. Using the P2P system is the only time you’ll ever be asked to supply your WebAPI Token.
Why should I trust CSGORoll with my WebAPI Token?
Firstly, you should know that CSGORoll’s success depends on our reputation of being trustworthy and transparent. Without that, we wouldn’t have so many users. When it comes to security, we take things very seriously… and we adhere to strict and secure programming standards to protect your WebAPI Tokens and maintain a high level of security. Your CSGORoll WebAPI Token is stored securely and encrypted within our database. We’re also regularly audited to make sure any security issues are resolved immediately.
How do I generate my WebAPI Token to send to CSGORoll?
When you attempt to use the P2P system for the first time for a faster transaction, CSGORoll will send you a form asking for your WebAPI Token. This form will also provide a link that will take you directly to the page to generate your Token. You’ll be asked for a ‘domain’, which can be anything, but we recommend just setting this as ‘localhost’. You’ll then be able to generate your Token, which you can easily copy and paste into the respective field on the CSGORoll form. Provided your trade URL and WebAPI Token are both valid, you’ll then be able to use our P2P system.
I’ve read some scary stuff online. What can actually happen if someone has my WebAPI Token?
It’s always good to be aware of potential security threats, but you should also know that much of the information online about API Tokens isn’t quite true. One of the biggest myths out there is that if someone has your Token they can do absolutely anything they like from your Steam account. But this isn’t true at all, as your WebAPI Token is confined to a very specific set of actions. The Token doesn’t allow a user to do much at all actually. For example, if someone had your Token, they would never be able to meddle with your account like reset your password, change the email address, send or accept trade offers, disable 2-factor authentication, or view sensitive payment information. None of these actions would be affected whatsoever.
So what kind of scams do I need to watch out for?
It’s unfortunate, but API scams do exist within the CS2 community - and if you provide the wrong party with your WebAPI Token, it is possible to fall victim to one. A typical scam would compromise your WebAPI Token, where the criminal party would use it to monitor your trade history. They could then intercept any trades that involve you sending an item to another user by cancelling it… only to impersonate the rightful recipient of the trade to trick you into sending the item to the criminal party instead. It’s for this reason that CSGORoll strongly recommends verifying another user’s level and registration before initiating and when confirming a trade offer with them. It’s also important to note that the seller should always make the trade offer, and not the other way around. If you sell an item to CSGORoll and a buyer sends you a trade offer, please cancel it immediately and report it to the CSGORoll team.
How can I prevent API Token scams?
It’s a pretty simple one, but malicious browser extensions are actually one of the most common ways for a scammer to steal your WebAPI Token. Make sure you don’t install browser extensions that aren’t popular, haven’t been developed by a trustworthy party, or that request permission to specifically read or change data on CSGORoll - that would be your first indicator.
It’s also worth remembering that CSGORoll will only ever ask you for your WebAPI Token via our form when you request to use the P2P system - other than that, we’ll never ask. If you are asked for it outside of this, please report it to us straight away. Furthermore, if you go to generate your WebAPI Token and find that it’s already been set (and you don’t remember doing that yourself), you should immediately revoke the API Token, reset your password, and have a look at your browser extensions for any malice. This could be suspicious activity, so it’s always better to act fast. More details about API Scams: https://blog.csgoroll.com/what-is-an-api-scam-and-how-to-prevent-it/
I want to learn more about WebAPI Tokens, who can I ask?
The more safe and secure you feel about your WebAPI Token, the better. We’re always happy to answer your questions - just give us a shout at support@csgoroll.com.