Skip to main content
New OAuth client creation is temporarily disabled. Existing clients will continue to work normally.

Prerequisites

Before integrating OAuth2, ensure you have the following:
OAuth client creation is currently limited to approved partners. To request access:
  1. Create an account on the CDP Portal
  2. Contact your Coinbase representative to request OAuth whitelisting
  3. Once approved, you can create OAuth clients under API Keys > OAuth
You can invite team members to your CDP organization to share access.
OAuth2 testing requires real Coinbase accounts as there is no sandbox or test user functionality. All testing occurs in the production environment.To test the OAuth flow, you will need:
  • A Coinbase account
  • Completed identity verification (KYC), which includes providing ID and SSN for US accounts
Your team can use a shared Coinbase account for development and testing.
OAuth2 integration is primarily designed for US-based users. Team members in other regions may face limitations when testing:
  • Some features may not be available in all jurisdictions
  • KYC requirements vary by country
  • Certain API endpoints are US-only
If your organization requires firewall allowlisting, add the following domains:
  • api.coinbase.com — All API requests (auth and feature APIs)
  • login.coinbase.com — OAuth authorization flow
There are no separate staging or non-prod hosts. All development, testing, and production use the same endpoints.

Overview

This guide walks you through integrating OAuth2 to access Coinbase user accounts:
  • Register an OAuth application
  • Redirect users to authorize
  • Exchange the authorization code for tokens
  • Make authenticated API requests

1. Register your OAuth application

Go to CDP Portal OAuth settings and create a new OAuth2 application. You’ll receive:
  • Client ID: Public identifier for your application
  • Client Secret: Keep this secure—never expose in client-side code

2. Redirect users to authorize

GET https://login.coinbase.com/oauth2/auth
  ?response_type=code
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=https://your-app.com/callback
  &scope=wallet:accounts:read,wallet:transactions:send
  &state=SECURE_RANDOM_STRING

3. Exchange code for tokens

curl -X POST https://login.coinbase.com/oauth2/token \
  -d "grant_type=authorization_code" \
  -d "code=AUTHORIZATION_CODE" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "redirect_uri=https://your-app.com/callback"

4. Make authenticated requests

curl https://api.coinbase.com/v2/accounts \
  -H "Authorization: Bearer ACCESS_TOKEN"

Token lifecycle

Token TypeLifetimeUsage
Access Token1 hourAuthenticate API requests
Refresh Token1.5 yearsObtain new access tokens
Refresh tokens can only be used once. Each token exchange returns a new refresh token that must be stored for future use.

Full integration guide

Step-by-step OAuth2 implementation with PKCE

Available scopes

Complete list of permissions your app can request

Security best practices

PKCE, state validation, and secure token storage

Code samples

Ready-to-use examples in Go, PHP, and more