Before integrating Coinbase App, you need to register a new OAuth2 application under your CDP API settings. If you’re using a previous OAuth2 implementation, you may need to configure the following settings:
https://login.coinbase.com/oauth2/auth
https://login.coinbase.com/oauth2/token
Coinbase recommends integrating your OAuth client with a battle-tested OAuth2 library so that you can simply plug in your client id, client secret, etc. Consider using one of the following OAuth2 libraries. For enhanced security, consider implementing PKCE (Proof Key for Code Exchange) in your OAuth2 flow.
Use the following steps if you prefer not to integrate with a well-known OAuth2 library.
To integrate your third-party web server application with Coinbase, use the following flow:
If you want to also receive refresh tokens later in the token exchange flow, add offline_access
scope to your oauth2/auth request.
When redirecting a user to Coinbase to authorize access to your application, you’ll need to construct the authorization URL with the correct parameters and scopes. Here’s a list of parameters you should always specify:
Parameter | Description |
---|---|
response_type | Required Value code |
client_id | Required The client ID you received after registering your application. |
redirect_uri | Optional The URL in your app where users will be sent after authorization (see below). This value needs to be URL encoded. If left out, your application’s first redirect URI will be used by default. |
state | Optional An unguessable random string to protect against cross-site request forgery attacks. Must be at least 8 characters long. Read more |
scope | Optional Comma separated list of permissions (scopes) your application requests access to. Required scopes are listed under endpoints in the Full Scopes List |
code_challenge | Optional PKCE code challenge for additional security. If provided, code_verifier must be included in the token exchange step. Read more |
code_challenge_method | Optional Method used to generate the code challenge. Supported values: S256 (recommended) or plain . Defaults to plain if not specified. |
Example of an authorization URL:
You can further customize the authorization page and permissions. Read more at OAuth2 reference.
If the user approves your application, Coinbase will redirect them back to your redirect_uri
with a temporary code
parameter. If you specified a state
parameter in step 1, it will be returned as well. The parameter will always match the value specified in step 1. If the values don’t match, the request should not be trusted.
Example of the redirect:
code
for an access tokenAfter you have received the temporary code
, you can exchange it for valid access and refresh tokens. This can be done by making a POST call:
With following parameters:
Parameter | Description |
---|---|
grant_type | Required Value authorization_code |
code | Required Value from step 2 |
client_id | Required The client ID you received after registering your application. |
client_secret | Required The client secret you received after registering your application. |
redirect_uri | Required Your application’s redirect URI |
code_verifier | Required if code_challenge was used PKCE code verifier that corresponds to the code challenge sent in step 1. |
Example request:
Example request with PKCE:
After a successful request, a valid access token will be returned in the response:
After you have a valid access token, you can make your first API call:
Example response: