You should take great care to ensure your credentials are stored securely. If someone obtains your access_token
with the wallet:transactions:send
permission, s/he will be able to send all the bitcoin, litecoin or ethereum out of your account.
You should avoid storing API keys in your code base (which gets added to version control). The recommended best practice is to store them in environment variables. Separating credentials from your code base and database is always good practice.
OAuth2 access tokens and refresh tokens should be stored encrypted, with the encryption key stored in environment variables. To increase the security of your OAuth2 implementation, you should always specify a state
parameter, request moderate wallet:transactions:send
limits and implement 2FA authentication.
To help protect against cross-site request forgery (CSRF), we recommended that you include a state GET
parameter during the OAuth2
authorization process. Verifying that this variable matches upon receipt of an authorization code will mitigate CSRF attempts. Make sure that you use a string that is at least 8 characters long.
An example of a request with state
is as follows:
Once user has authorized your application, the same state
param will be passed back via the redirect url with code
param. You can read more about it here.
For added security, all redirect_uris
must use SSL (i.e. begin with https://
). URIs without SSL can only be used for development and testing and will not be supported in production.
For additional security, you can implement PKCE (Proof Key for Code Exchange) in your OAuth2 flow. PKCE provides protection against authorization code interception attacks, especially important for mobile and single-page applications.
To use PKCE:
code_challenge
and code_challenge_method
parameters to your /oauth2/auth
request.code_verifier
to your /oauth2/token
request.Caution
If you include a code_challenge
in your authorization request, you must include the corresponding code_verifier
in your token exchange request. Failure to do so will result in an authentication error.
Coinbase supports two methods for generating the code challenge:
The S256
method provides the strongest security by using SHA256 hashing:
The plain
method uses the code verifier directly as the code challenge:
Method Selection:
code_challenge_method
is not specified, it defaults to plain
S256
whenever possible for enhanced securityplain
method should only be used when SHA256 hashing is not feasible in your environmentIt is also very important that your application validates our SSL certificate when it connects over https
. This helps prevent a man in the middle attack. If you are using a client library, this may be turned on by default, but you should confirm this. Anytime you see a setting to ‘verify SSL’ you should ensure it is set to true.