Hi,

To start off, thank you so much for the service so far all these years!
I've been using steam.supply for a solid 3-4 years to level every major sale. Many hundreds of my keys have gone to good use (efficient leveling) thanks to your site.

But one thing's got me worried right about now. This winter sale, I noticed there's multiple bots now asking for your "Steam Trade API Key". They will say something like Due to recent Steam changes, we are unable to load your inventory anymore. Before to use some commands, you must first set up your own API Key. The first part is quite obviously a flat-out lie, as most of the other bots can still load my inventory just fine. And yet they will not trade with me without said key. So, what's the catch?

Because this looked super fishy to me, I started looking online and informing myself. And basically, from what I could gather, giving anyone your key is a massive risk, as this gives anyone with your API key full access to your trades... While having this key doesn't immediately allow one to take your items, it does allow them to see your trades, intercept one if it looks profitable, and then send you a fake trade offer to get your items instead of the intended target (Sources that prove this possibility: One[forums.steamrep.com] and Two[https//%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5%E2%99%A5], plenty more if you search)

I've also gotten into contact with at least one bot owner who very honestly told me it's so they don't need to pay for the API if they have your key (To protect this bot owner I won't name them, but I can provide proof in private if it's requested and absolutely needed). So while it might not be as ill-meant as written above, it's still a huge risk.

To summarize: It saves bot owners a quick buck at the cost of your own safety.

While one of the bots (the honest one, bless him) was willing to switch over their strategy again to the classic ways which most other bots use, I've also had a run-in with an owner who absolutely doubled down into this key thing, removing my comments, accusing me of not knowing anything, and saying "I could just revoke access to the key after I'm done trading". Yeah, that's cool and all, but apart from that being a hassle, if every bot is going to do this, my key is pretty much always floating around somewhere, and therefore I will be under constant risk. Yes, they really did say this, and then they removed their comment once I called them out on it, which I think is very suspicious, non-transparent and anti-consumer of them. Here is proof of this interaction.[imgur.com]

Now I'm definitely not an expert, and please let me know if I'm missing any information!!! But to me, this development sounds like a very anti-consumer strategy, and I've immediately solidified my position to NEVER give anyone my key; and to boy-cot any bots who use this strategy. But I'm worried that this might become a trend, as I've now already spotted at least 4 bots forcing you to hand over your key.

My question to you is: What is Steam Supply's stance on this? Sure, I wouldn't call them scam bots like the other obvious scam bots from the past, but I definitely can't appreciate how intrusive these bots are now, expecting you to give over API keys that give them full access to stuff. If every bot starts using this strategy, saving money on API costs at the costs of consumer safety, I fear for the worst. Having your key float around puts you under constant risk of the key falling in the hands of bad actors, them intercepting a trade, and then scamming you. The more bots you give the key, the bigger the risk. If this becomes a bigger trend, will Steam Supply allow it? Turn a blind eye, or will this become looked down upon, or report-able in a way?

Thanks again and yours sincerely,

Mike