SHB
Features

Steam Guard and safety

How Steam Guard codes work in SHB, plus a short note on workers, encryption, and logging.

Steam Guard — logging in safely

Steam may ask for a Steam Guard code when the bot signs in.

How SHB handles it:

  • If you use a shared secret (authenticator / TOTP), the bot can generate codes for this bot-managed login.
  • Otherwise you enter the code yourself when the bot asks (for example from /gui), same as if you were logging in on your PC.

The bot only uses this for sessions it manages—not for logging you into random websites.

Why several accounts don’t freeze Discord

Each Steam session runs in a worker pool (separate threads), controlled by WORKER_POOL_SIZE (default 4). That way multiple accounts can run at once without blocking the main Discord bot.

Passwords and secrets in the database

Your Steam password, refresh tokens, and shared secrets are stored encrypted on disk (using the host’s CRYPTO_SECRET_KEY). That protects the database file if someone copies it—but anyone with the key and the file could decrypt them, so protect both.

Logs

The bot writes structured logs (Winston). Hosts should never log passwords, refresh tokens, or shared secrets in production.

  • Security — full policy and checklists.

Card idling

Idle owned games with trading card drops alongside hour boosting; sessions, API keys, and restart interval.

Security

Threat model, authorization, data at rest, operational checklists, and links to the canonical SECURITY.md in the repository.

On this page

Steam Guard — logging in safelyWhy several accounts don’t freeze DiscordPasswords and secrets in the databaseLogsRelated