API Key authentication should only be used to access your own account. To securely access the accounts of other Coinbase users, use Coinbase App (OAuth2)
Coinbase App APIs can be accessed using API Keys created on the Coinbase Development Platform (CDP). See CDP API keys.
Keys created on the Coinbase Development Platform (CDP) may not yet be supported by all third-party applications.
CDP API keys are used to generate a JSON Web Token (JWT) for an API. Once you’ve generated a JWT, set it as a Authorization Bearer header to make an authenticated request.
Regardless of which code snippet you use, follow these steps:
key name
and key secret
with your key name and private key. key secret
is a multi-line key and newlines must be preserved to properly parse the key. Do this on one line with \n
escaped newlines, or with a multi-line string./v2/accounts/f603f97c-37d7-4e58-b264-c27e9e393dd9/addresses
.export JWT=...
.Your JWT expires after 2 minutes, after which all requests are unauthenticated.
You must generate a different JWT for each unique API request.
The easiest way to generate a JWT is to use the built-in functions in our Python SDK as described below.
Otherwise, use the code samples below to generate/export a JWT and make an authenticated request.
Install the SDK.
In the console, run: python main.py
(or whatever your file name is).
Set the JWT to that output, or export the JWT to the environment with export JWT=$(python main.py)
.
Make your request, example curl -H "Authorization: Bearer $JWT" 'https://api.coinbase.com/api/v3/brokerage/accounts'
Store your credentials securely. If someone obtains your api_secret
with the transfer
permission, they will be able to send all the digital currency out of your account.
Avoid storing API keys in your code base (which gets added to version control). The recommended best practice is to store them in environment variables. Learn more about environment variables here. Separating credentials from your code base and database is always good practice.
API Key access is turned off by default on all accounts. To implement an API Key integration, you therefore must first enable it,and then take necessary precautions to store the API Key securely. You can always regenerate your API Key (or disable it) if you feel it has been compromised.
It is also very important that your application validates our SSL certificate when it connects over https
. This helps prevent a man in the middle attack. If you are using a client library, this may be turned on by default, but you should confirm this. Whenever you see ‘verify SSL’ you should always ensure it is set to true.
For enhanced API Key security, we recommend that you allowlist IP addresses that are permitted to make requests with a particular API Key.
You can specify IP addresses to allowlist when creating a new API Key or editing an existing one.