I’m Giorgio, and I created and maintain a popular Valorant store checker called SkinPeek. I’d like to write a few paragraphs on the state of Valorant, specifically regarding how they treat the third-party developer community surrounding the game.
I first want to address the elephant in the room. You may have seen this tweet posted by the official Valorant twitter a while back:
This was probably the biggest spit in the face from Riot to us passionate community devs, and shows how little this multi-billion company actually cares about its ecosystem nowadays, despite once being best-in-class in terms of supporting third-party devs.
For those wondering, no this does not mean you’ll get banned for using SkinPeek, although I’ll talk more about that later on. But first, I would like to give a quick bit of backstory, and talk about why game studios and third-party dev communities simultaneously love and hate each other.
League of Legends has always had one of the most active and healthy third-party dev communities, even being often supported by Riot themselves. Their developer documentation contains many details about how the game and the launcher work internally. They also provide a public service called data dragon, where anyone can access tons of assets and info about all the champions, spells, items and runes, all made public and updated automatically. They even created an official discord server where third-party devs could talk directly to the Riot devs in charge of making the API.
Truly, if you were developing a program for a League of Legends or TFT, you had all the tools you could ask for. Riot had created a fantastic open ecosystem. The third-party devs could make what they wanted, the players got to use these tools which made the game's ecosystem more vibrant, and in the end everybody was happy. Trust me when I say that Riot was the only AAA game dev providing such freedom and support to third-party devs.
League has consistently been the most played multiplayer PC game on the planet for many years in a row, so they must have been doing something right.
One thing you can get using the League API is detailed stats about any player’s match history, using just their summoner name.
If you’ve ever played league, you might know that many players use a third-party tool such as Blitz or Porofessor to help them in their games. If you use one of these tools, it can give you a lot of info about the current game you're playing, such as tips and tricks for the champion you're using, various live graphs such as gold/min or CS/min, respawn timers for the jungle monsters, as well as gameplay stats about your teammates and opponents’ previous games and overall winrate and KDA.
The last one is the most problematic. The data in itself isn’t a bad thing to include, it can be helpful to know that your teammate plays much better in late game. That being said, it can easily lead to a toxic player seeing this information and abusing it, for example using the fact their teammate has lost 3 times in a row, to insult them and be toxic in chat.
Given that this information can and often is abused by toxic players, is making it publicly accessible to anyone worth it? Well, Riot seem to have made up their mind.
If you play Valorant and have tried to use tracker.gg to see your stats, you most likely have been greeted with this screen:
If you’ve ever wondered why you have to explicitly allow and consent to your stats being viewable by everyone, this is most likely why.
But let’s take a break from Riot, and have a look at another AAA game studio: Epic Games.
There are many parallels between Valorant’s and Fortnite’s third-party dev landscape. Fortnite also has a somewhat thriving third-party dev community, from single-player custom servers, to unofficial game launchers, to lobby bots, and much, much more. Although there isn’t an official epic-approved discord server for these devs, there is an unofficial central server where you can find most of them. Basically if anyone has “fortnite leaker” in their twitter bio, you can be pretty sure they’re in that server.
Although the server isn’t official by any means, there are a couple of Epic employees in there, one of them being the legendary MagmaReef (aka Magma). He is part of the security team over at Epic, and often chimes in as to what Epic does or does not want the third-party devs to do or refrain from doing.
Most of these projects require reverse-engineering the game and the internal API, since Epic aren’t going to provide a public one. Epic are very much aware that people are using their internal API. However they also know that the third-party devs are pretty much just passionate hobbyists, who make tools for their favorite game in their spare time. As long as these tools don’t harm the game experience, there’s no reason to take action against them. If people enjoying the game want to develop for it as well, why stop them? That being said, there’s no reason to put resources into officially supporting them either.
Third party Epic devs are therefore in this limbo between allowed and banned, where they can do almost anything without asking Epic’s permission, but without Epic’s support either. In fact, in some ways this is a sort of symbiotic relationship, where both sides benefit from this arrangement:
-
The third-party devs can do pretty much anything the game can do, since they are using the same API calls that Fortnite.exe is, which is certainly much more than any public official API would support (think friends list, in-game settings, voice chat, etc; these are certainly things that would never make it into any official API).
-
Epic, on the other hand, doesn’t mind passionate devs improving the game ecosystem. If they really wanted to, they could easily prevent the methods the third-party devs use from working (they already do for aimbots & similar). However, this would require extra work, and there isn’t much point anyway. If ever some controversy occurred with one of these tools, Epic can simply throw their hands up in the air, say “we didn’t approve of this!” and ban everyone involved, it’s not a problem for them. They essentially have a “get out of jail free” card.
So at the moment, both sides are happy with the current situation. Is it perfect? Certainly not. But no one’s complaining.
Similar to Epic, Valorant also has an unofficial dev server (separate from the official one), where hobbyists go to reverse-engineer and talk about the in-game private API in order to share knowledge and help each other out. And Similar to Epic, the Valorant team is very much aware that this is going on. The dev server is spear-headed by Mike (aka ValorLeaks), Floxay, and Officer.
Unfortunately, Valorant don’t seem too keen on supporting this ecosystem at all. Devs like me have pretty much being flying blind as to what is and isn’t allowed, guessing what is reasonable and what is forbidden, and in the process putting in danger the users of our apps.
Do you think a program to check your daily Valorant store is forbidden? How about a program to change your crosshair colour? Or a program to show your Twitch chat in your in-game Valorant chat? A program that implements Discord Rich presence because Riot won’t?
All these use cases seem fairly innocent. After all, they don’t give any sort of advantage in-game, and there is no reason their existence is going to make anyone’s game experience worse. Plus, no one's been banned or even warned yet, so it’s safe to assume that using these programs should be risk-free, but that's only an assumption. Without any communication with the devs, there is no way to know for sure, until Riot starts tweeting again.
(Note: No, Riot isn't going to suddenly start banning people for using a store checker. They know hundreds of thousands of players use one regularly. If they want it to stop, they'll change the API to prevent them from working, rather than banning a large chunk of their most passionate (and most money-making!) playerbase.)
Such is the situation with third-party devs using the unofficial Valorant API. It’s the only way to do the things we want to do, so all we can do is continue and hope for the best. We would love for some sort of official API similar to League, or at least some guidance on what we can and cannot do.
Some members have even created unofficial community APIs to replace what would be the official API! For example, Officer’s Valorant-API serves as a Data Dragon for Valorant, making in-game assets and values easily available programmatically, as well as Henrik’s API that can get any player’s current rank and match history using their Riot username.
But wait, doesn’t Valorant already have an official API?
Yes, Valorant does indeed have an official API. That being said, it’s more than useless. It only has 4 endpoint goups:
- VAL-CONTENT-V1: Used to fetch in-game content such as agents, maps, weapon skins and much more. Would be useful if Valorant-API didn’t do the same but better.
- VAL-MATCH-V1: Used to fetch info about a player or a match. The most useful of the 4, however you’re only supposed to show info about players that expressly gave consent to do so.
- VAL-RANKED-V1: Get the top players leaderboard.
- VAL-STATUS-V1: Get the list of current incidents and maintenances.
It’s clear that these endpoints only exist for one purpose, as all you can really make with them is stat-tracking websites like tracker.gg, and even then, a very limited one as you can’t share people’s stats without them consenting to it. As such you most likely won’t see anything creative come out of the official API.
If the lack of endpoints wasn’t enough, the process to get an API key is downright comical. To request a key, you need to develop a fully functional working prototype of your application, before being able to apply. And that means that if they reject your application, you will have done all that work for nothing. Oh well :)
So just create a prototype, easy right? Well for League, they grant you a Development API Key that you can use to explore the different endpoints and develop your application. You have to renew it every 24 hours, and it has quite strict rate limits, but it should be more than enough to help you develop a functional application before requesting a better key.
But development keys are curiously absent from the Valorant API. That means you have to create your application that uses the API… without access to the API. But don’t fret! If you happen to stumble upon the Riot Third-Party Dev discord server, and you happen to visit the #val-dev channel and check the pins, buried in there you’ll find some sample data Tuxedo made available… back in June 2020. It’s fine, it’s not like the API has changed that much since then.
As a bonus, if you try to use a development key on a Valorant endpoint, the error message isn’t something useful such as “You can’t use dev keys on Valorant endpoints”. Why that would be too simple! Instead, the message is “This endpoint is not available in your policy”. A cryptic message that leaves many people quite confused.
So, to recap, if you don’t know any of this and want to create something using the Valorant API:
- If you’re making something other than a stat tracker, forget it
- Navigate through the Riot API docs, then somehow figure out what the error message means
- Find Tuxedo's sample data, either by chance or by asking in the Discord
- Develop your application, knowing you might be doing it for nothing if it isn’t approved
- Once you have a working prototype, submit it
- Wait 2-3 months (!) for your application to be approved or denied
- Congratulations, no one will use your program because tracker.gg exists already
If it isn’t already clear, this is obviously made because Valorant needed stat-tracking websites to compete with other FPSs, so they rushed out a half-baked API that only high-profile companies can afford to use.
To wrap things up, let’s revisit the tweet that caused me to write this whole thing:
This represents everything wrong with the state of the third-party Valorant API.
This tweet is clearly targeting programs such as vRY and WAIUA, which are the Valorant equivalent of Blitz and Porofessor for League: they show your teammates' and opponents' ranks during the game, which is something that’s supposed to be hidden until after the game is over.
The communication with the devs is totally absent. Although we were wondering whether these programs might be in the gray area, the Valorant team was radio silent for 1 year and a half, then chose to threaten the players by telling them they might get BANNED, instead of just talking to the devs directly at any point.
Most players won’t understand what “unauthorized 3rd-party apps that pull information hidden by the game client” means. I received multiple DMs saying “yo does this mean your shop bot will get me banned???” Uh, of course not, the shop bot doesn’t "pull information from the client" at all, and the in-game store isn’t “hidden information” by any means. But the average user doesn’t know that. How would they?
And to top it all off, it links the article from 2020 announcing the launch of the official API. How on earth does that help anyone tell whether an application is official? If I make a stats website and a store checker website, the average Valorant player won’t be able to tell me which one is using which API. Linking this article seems like a last-minute addition to an already nonsensical tweet, and all it does is add fuel to the fire.
Also check out Floxay’s response to the tweet.
It’s almost paradoxical that the best and the worst handling of third-party dev projects come from the same company. Maybe the Valorant team saw what was happening over at League’s side of things, wanted none of that, and pushed the lever in the complete opposite direction. Maybe they’re too scared that they might be helping the aimbot developers by helping us (which isn’t true, by the way). Maybe they’re too busy working and perfecting other aspects of the game to worry about the API. Maybe they’re just disorganized. Who knows.
Honestly, the Valorant in-game API is one of the better-designed and more complete internal APIs I’ve seen, even though it’s not even meant for the public. Even the game architecture is friendly to us third-party devs via the local API. Here’s an ELI5:
Valorant.exe vs Riot.exe, and why the split is incredibly useful for us devs
The game is split into Valorant.exe and Riot.exe, where Valorant.exe is the game itself that handles moving, shooting, etc., and Riot.exe (the Riot launcher) handles everything around the game, think shop, missions, battlepass, agent contracts, login, friends, parties… Fun fact: If you noticed your friends can't hear the in-game voice chat while you screen share your game on Discord, it's because the voice chat audio is coming from Riot.exe, not Valorant.exe :)
If you’re wondering why the separation is a good thing for us third-party devs, consider that Valorant.exe is protected by Vanguard, so reading the memory would most likely get you permabanned. However, Riot.exe is not! That means that if the game is open, you can inject your own requests to Riot.exe via the local API, without touching Vanguard. This is the same architecture that League uses, and it’s a blessing for us third-party devs, since we can go in and get most stuff we need risk-free, while aiming & movement stays protected by Vanguard.
However, it seems that even the League side of things is falling apart. The official Riot-run server has been handed over to the community, to be an “unofficial but officially endorsed” type of server, which is a downgrade if you ask me. The “office hours”, a regular AMA from the Riot API devs, has stopped happening a while ago. And Gene Chorba, the guy running the office hours as well as the guy in charge of the official Valorant API, left Riot in January. All in all, this probably isn’t good news for the third-party dev community of either game.
As for the Valorant dev community, we would probably do anything for a more accessible official API, maybe with a discord-style application mechanism, some more API endpoints, and a public RSO portal (“sign in with riot” webpage), as currently the only way for users to log in into our applications is using usernames & passwords, which is a huge security risk (and Riot knows it).
One of the only times a Valorant dev (on the security team) joined the unofficial server was after the first Cloudflare incident. Mike managed to contact him on twitter and asked him to join the server for a chat. We forwarded all these requests to him, and this is what he said:
It shouldn’t come as a surprise that we haven’t heard back on any of this.
So that’s the current situation with the Valorant third-party development scene. A group of passionate devs doing whatever we can, and a company that refuses to interact with us more than necessary. Although I would love for the situation to get better, I unfortunately don’t see it changing anytime soon.
i love the val api!