The Coinbase App API v2 supports cross-origin HTTP requests, commonly referred as CORS. This means that you can call API resources using Javascript from any browser.
While CORS allows for many interesting use cases, it’s important to remember that you should never expose private API keys to 3rd parties. CORS is mainly useful with unauthenticated endpoints (e.g., Bitcoin price information) and OAuth2 client side applications.
Cross-Origin Resource Sharing (CORS) is an HTTP-header-based mechanism that allows a server to indicate which origins (domains, schemes, or ports) are permitted to access its resources. CORS overcomes the browser’s same-origin policy, which restricts web applications from accessing resources hosted on a different origin for security reasons.
For example, a frontend app hosted on https://domain-a.com
may need to fetch resources from an API hosted at https://domain-b.com
. With CORS enabled, the browser permits this interaction if the API server provides the appropriate CORS headers.
CORS works by adding new HTTP headers that let servers describe the origins and methods permitted for resource access. For requests with potential side effects on server data (e.g., POST or DELETE), the browser performs a preflight request using the OPTIONS
method to ensure the server approves the actual request.
The Coinbase App API v2 uses CORS to allow secure, client-side access to its endpoints directly from browsers, enabling various use cases like fetching live cryptocurrency prices. Here’s how it simplifies integration:
Access-Control-Allow-Origin: Specifies which origin(s) are permitted access. Example:
A value of *
allows access from all origins but is unsuitable for credentialed requests.
Access-Control-Allow-Methods: Lists the HTTP methods permitted for cross-origin requests:
Access-Control-Allow-Headers: Specifies the custom headers allowed in the request:
Access-Control-Allow-Credentials: Indicates whether credentials (cookies or authentication tokens) can be included:
Access-Control-Max-Age: Indicates how long the preflight response can be cached:
Never Expose Private API Keys: Storing private keys in client-side code risks unauthorized access.
Understand the Risks of Wildcards (*
):
*
for Access-Control-Allow-Origin
can lead to unintended exposure.Use Preflight Requests for Sensitive Actions:
Simple Requests:
Preflighted Requests:
Requests with Credentials:
Error: "No 'Access-Control-Allow-Origin' header is present"
Error: "CORS preflight did not succeed"
OPTIONS
requests correctly.Error: "The request was redirected but preflight does not allow redirects"
For more information or assistance, feel free to reach out to us on the CDP Discord.