The fact that you need to hand over a Steam API key is really worrisome, and the FAQ entry for it isn't all that reassuring [1]. You're basically just saying "no it's cool trust us". Are you encrypting these API keys? Do you delete them after each transaction?
It's kind of a honeypot if you're holding onto the keys. You don't have the ability to revoke them so if they're ever compromised it's on your users to revoke them before misuse.
It's worth noting that there's a ton of undocumented (by Valve) Web API methods [2]. If you just look at the official documentation [3] it misleads you into thinking it's a read-only API for fairly basic data. I presume that GamerPay is relying upon some of these undocumented APIs as part of their implementation.
Thanks for the feedback on the FAQ and thoughts. Agreed that the Steam API key is sensitive data and thus all keys, user data etc are secured by appropriate encryption. Same goes for cash transactions & wallets that are handled by partners that are compliant with the financial authorities (to prevent eg money laundering).
We work with the Steam APIs on a daily basis and yes some part of the documentation could be more up to date.. and it's not Stripe quality!
Why do you need the API key? Why not just do it like a traditional escrow service: you receive both the money and the item traded to a steam account you own. Then once both are received you send the money and you send a trade request giving the item to the receiver?
Using bots as middlemen imposes other challenges. First there is a 7 day tradelock of the item. Second bots are prone for scams. Third you cannot play with your skin in the meantime
It's kind of a honeypot if you're holding onto the keys. You don't have the ability to revoke them so if they're ever compromised it's on your users to revoke them before misuse.
It's worth noting that there's a ton of undocumented (by Valve) Web API methods [2]. If you just look at the official documentation [3] it misleads you into thinking it's a read-only API for fairly basic data. I presume that GamerPay is relying upon some of these undocumented APIs as part of their implementation.
[1]: https://intercom.help/gamerpay/en/articles/5313751-is-it-saf...
[2]: https://steamapi.xpaw.me/
[3]: https://steamcommunity.com/dev