chainskins/blog
Back to posts
/
access_tokensecurity

Access Token Flow

This document explains the secure flow of the user access_token through the Chainskins extension and backend.

Flow Overview

  1. User Authentication via Steam

    • The user logs in via the browser extension.
    • The extension retrieves the access_token directly from the user's Steam account.

  2. Daily Key Generation & Preconnect

    • Each day, the Cloud Function generates a new public/private key pair.
    • The extension performs a preconnect request to obtain the current day's public key.

  3. Encrypting Token & Sending to Cloud Function

    • The extension encrypts the access_token using the public key.
    • The encrypted token is sent to the Cloud Function.
    • Important: The token is never stored in the extension or server.

  4. Accessing Inventory via API

    • The Cloud Function decrypts the token using the private key.
    • It calls the Steam API to fetch the user's inventory.
    • The token is discarded immediately after use.

  5. Forwarding Data to Chainskins.net

    • The Cloud Function sends only the inventory data to Chainskins.net.
    • No sensitive tokens are ever stored or forwarded.

Example API Result

{
  "assets": [
    {
      "appid": 730,
      "contextid": "2",
      "assetid": "1234567890",
      "classid": "987654321",
      "instanceid": "1112131415",
      "amount": "1"
    }
  ],
  "descriptions": [
    {
      "appid": 730,
      "classid": "987654321",
      "instanceid": "1112131415",
      "currency": 0,
      "background_color": "000000",
      "icon_url": "example_icon_url",
      "descriptions": [
        {"type": "html", "value": "This is a sample graffiti description.", "name": "description"}
      ],
      "tradable": 1,
      "actions": [
        {"link": "steam://rungame/730/...", "name": "Inspect in Game..."}
      ],
      "name": "Graffiti | Example Skin",
      "name_color": "abcdef",
      "type": "Base Grade Graffiti",
      "market_name": "Graffiti | Example Skin",
      "market_hash_name": "Graffiti | Example Skin",
      "commodity": 1,
      "marketable": 0,
      "tags": [
        {"category": "Type", "localized_tag_name": "Graffiti"},
        {"category": "Quality", "localized_tag_name": "Normal"},
        {"category": "Rarity", "localized_tag_name": "Base Grade", "color": "abcdef"},
        {"category": "SprayColorCategory", "localized_tag_name": "Red"}
      ]
    }
  ],
  "more_items": 1,
  "last_assetid": "1234567890",
  "total_inventory_count": 50,
  "success": 1
}

Notes:

  • assets: Array of items with unique IDs and quantities.
  • descriptions: Metadata for each item, including market info, name, type, and tags.
  • All IDs and URLs are examples; do not store real sensitive tokens or user info.