CS2 Steam Game Server Token (GSLT): get and apply one

A Steam Game Server Token (GSLT) is the 32-character string Valve issues per server so CS2 appears in the public browser and runs VAC secure.

A Steam Game Server Token (GSLT) is a 32-character token Valve issues from your Steam account, one per server, that CS2 needs to register with the public server list and run VAC secure. Without one, your server still runs and your friends can join by address, but it stays LAN-only as far as the browser is concerned.

This doc is the focused reference. If you want the broader first-server walkthrough, read Setting up your Counter-Strike 2 server instead.

What a GSLT is

  • A 32-character string.
  • Issued per server, tied to your Steam account.
  • Used by CS2's sv_setsteamaccount to authenticate with Valve.
  • Any Valve ban on the token lands on the Steam account that issued it; that's why we ask you to bring your own.

Without one, CS2 boots fine but stays out of the public browser and refuses non-LAN connections by default. On Hostd, the visibility system uses Direct-connect as the fallback so the server is still reachable; see CS2 server visibility.

Before you start

Valve requires the account to be in good standing before it will let you generate tokens:

  • A verified phone number on the Steam account.
  • At least one purchase on the account (any Steam game works).

Brand-new free accounts can't generate tokens. If the Steam page tells you the account doesn't meet the requirements, those are the two boxes to tick.

Step 1: open the Steam token page

Go to steamcommunity.com/dev/managegameservers and sign in.

Step 2: create a new game server account

In the Create a new game server account box, fill in:

  • App ID: 730. Same number for CS:GO and CS2.
  • Memo: a private label you'll recognise later (hostd-cs2-pug, hostd-retakes, whatever fits). The memo is just for you; nobody else sees it.

Click Create. Steam shows your Login Token, 32 characters.

Step 3: paste it into Hostd

  1. Open your CS2 server in the dashboard.
  2. Click Settings.
  3. Find the Steam Game Server Token (GSLT) panel.
  4. Paste the 32 characters into the Token (32 characters) field.
  5. Click Save token.

The badge flips from amber Not configured to green Configured. A toast confirms: "Steam token saved. Restart the server to make it visible in the browser."

Step 4: set visibility to Public

The token isn't used unless visibility is Auto or Public. On a fresh server, the default is Auto, which is fine; on next boot it will use the token automatically. If you want to pin Public explicitly, go to Settings → Server visibility and click Public.

Step 5: restart

The server reads the token once at boot, so a restart is required. Dashboard, Restart. Within ~30 seconds of the restart finishing, the console shows:

[Hostd] Steam connection ready.
[Hostd] VAC secure mode active.

The server is then listed in the public CS2 browser.

How the token is stored

  • AES-256-GCM encrypted at rest in the Hostd database.
  • Written into the server's container at boot so it can't leak.
  • The server only reads it once on boot to write the sv_setsteamaccount line into the server config before launch.

Removing or replacing a token

Same panel. The buttons swap once a token is saved:

  • Replace token: opens the input, lets you paste a new value over the old one, Save token writes it. The encrypted database entry is overwritten in place.
  • Remove token: clears the stored value. On next restart the server boots LAN-only invisible (or falls back to Direct-connect under Auto). The confirmation prompt spells out the consequences.

What happens when you delete the server

Cleanup is automatic:

  • The encrypted database column is removed with the server record.
  • The volume is destroyed as part of the deletion flow, so the token file goes with it.

You don't strictly need to revoke the token on Steam afterwards, but it's tidy to do so from the same management page (each row has Regenerate / Delete actions).

Troubleshooting

"Steam servers refused our login" in the console, or repeated reconnect attempts. The token may have been regenerated on Steam's side, or the account's standing has changed (lapsed phone verification, account flagged). Generate a fresh token, paste it in, restart.

"This memo / app ID is already in use" when creating the token on Steam. Each (account, App ID, memo) combination has to be unique. Pick a different memo.

Server still says No Steam account token was specified after restart. Two things to check:

  1. The badge is green Configured before the restart, not amber. If it's amber, the save didn't land; try again.
  2. The boot you're reading is the one after the save. Stop / Start works as well as Restart, but check the timestamps. A log line from a boot before the save will still show the old state.

Auth never completes; the console sits on AuthStatus invalid: Waiting forever. This is usually Valve refusing gameserver auth from your source IP, not a problem with the token. Valve has discretion to refuse auth from IP ranges it classifies as risky, and some server / colo ranges sit on undocumented blocklists. No token will work from a refused IP. The mitigation is to switch visibility to Direct-connect; the server stays reachable, your token stays stored, and you can flip back to Public later if Valve's posture changes. See CS2 server visibility for the modes.

One GSLT per server

Steam ties bans to the token. Reusing one token across multiple servers means a single flag takes them all dark together. Generating a fresh token per server takes about 30 seconds each and keeps the blast radius small. Pick memos that tell them apart (hostd-cs2-pug, hostd-cs2-retakes, hostd-cs2-scrim) and you'll thank yourself later.

Where to next

Last updated 2026-05-20. Notice a mistake? Tell us.

Cookies

We use a few cookies that are strictly necessary to sign you in and keep your account secure. We do not load any advertising or third-party trackers. We would also like to run our own cookieless analytics so we can understand which pages are useful. See our Cookie Policy for the full list.