Use API keys to authenticate requests to the suite of APIs offered on CDP.

Key Types

Type  UsageConfiguration
Secret API KeyServer-side: Used to securely authenticate server-to-server communication and must be kept private for maximum security.- Custom scopes
- IP allowlist
Client API KeyClient-side: Used to identify applications from client-side code (ie, OnchainKit) and used in the RPC endpoint.- Key rotation with expiration
- Domain allowlist
OAuth Client User AuthenticationClient-side: Used to authenticate end users and access their Coinbase accounts with their permission.- Configurable scopes
- Redirect URIs
- Access & refresh tokens

Secret API Keys

New API Key Signing Algorithm: Transitioning to Ed25519 We’re excited to announce a performance and usability upgrade to our API key signing algorithm! Previously, API keys were signed using ECDSA, but going forward, all new API keys will be signed with Ed25519. Learn more about this decision.

Creating Secret API Keys

  1. Navigate to the Coinbase Developer Platform and select Secret API Keys under the API Keys tab
  2. Click the Create API key button.
  3. Enter an API key nickname and click Create & Download.
  4. Secure your private/public key pair in a safe location. See our Security Best Practices for secure storage recommendations.

To regenerate an API key, click Manage to delete and recreate the key.

IP Allowlist (Optional)

For IP allowlist configuration and examples, see our Security Best Practices guide.

Client API Key

Rotating the Client API Key

  1. Navigate to the Coinbase Developer Platform and select Client API Key under the API Keys tab
  2. Click the Rotate button.
  3. Select an expiration time for your previous key. This is to ensure you can replace your previous key without any downtime.
  4. Click confirm and replace all references to your previous key, including in your RPC endpoint.

Domain Allowlist

For domain allowlist configuration and important considerations, see our Security Best Practices guide.

OAuth Clients

Creating OAuth Clients

  1. Navigate to the Coinbase Developer Platform and select OAuth under the API Keys tab
  2. Click the Create client button
  3. Enter your application details:
    • Application name (shown during OAuth)
    • Application type
    • Service offerings
    • Redirect URIs
  4. Configure any advanced options if needed
  5. Store your client ID and client secret securely. See our Security Best Practices guide.

Authorization Flow

// Authorization Request
const authUrl = `https://login.coinbase.com/oauth2/auth?
  response_type=code
  &client_id=${YOUR_CLIENT_ID}
  &redirect_uri=${YOUR_REDIRECT_URL}
  &state=${SECURE_RANDOM}
  &scope=wallet:accounts:read`;

Exchange Code for Tokens:

// Token Exchange
POST https://login.coinbase.com/oauth2/token
{
  "grant_type": "authorization_code",
  "code": "TEMPORARY_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "YOUR_REDIRECT_URI"
}

Token Management

  • Access tokens expire after 1 hour
  • Refresh tokens can only be used once
  • Use refresh tokens to obtain new access tokens when needed

Available Scopes

The following scopes control what your application can access:

  • wallet:accounts:read: View account balances
  • wallet:user:read: Access user information
  • wallet:transactions:read: View transaction history
  • wallet:transactions:send: Send cryptocurrency (requires 2FA)
  • offline_access: Get refresh tokens

Deleting Keys

To delete any type of API key:

  1. Click API keys on the left side navigation bar.
  2. Navigate to the API key you’d like to edit and click Manage.
  3. Click Delete Key.
  4. Copy and paste the ID associated with the key and click Delete Key to confirm.

Deleting unused keys is an important security practice. Remove API keys you no longer need to minimize your attack surface.

Ed25519 Signature Algorithm

From February 2025 onwards, new CDP API keys will default to using the Ed25519 signature algorithm for enhanced security and performance. Existing API keys signed with ECDSA will continue to function without interruption, but you will need to update your SDK library to support the new key type.

Secret Format Comparison

🔑 [Previously] ECDSA - PEM Format

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGzF05P0YzdmqnlP7ZTExK3tTldWkRbJXp8B/5G+zBKoAoGCCqGSM49
AwEHoUQDQgAEXFh8azfrBkMqBVAiLbLbbZYwK9L/9WNBOfcDYgM1GoyWy3qA5Yc
94yD0gKnKTTOY5z5Y6m8sghG2SnUTPA9Lg==
-----END EC PRIVATE KEY-----

🔐 [Now] Ed25519 - Base64 Format

88WPC/9+fV8a7/PGLh+MOL26PBni9KEqP/u3Tl0tWCw=

Benefits

  • Faster Verification: Ed25519 offers better performance, especially in high-load environments.
  • Stronger Security: Provides resistance against common cryptographic attacks.
  • Simpler Key Management: Smaller keys and deterministic signatures improve usability.
Transitioning Away from ECDSA We will continue to support all existing ECDSA keys, and for a limited time you will still be able to generate new ECDSA keys in “Advanced Settings”. However, we strongly recommend upgrading to Ed25519 as soon as possible to take advantage of its improved security and performance.

ECSDA vs. Ed25519

What is ECDSA?

ECDSA (Elliptic Curve Digital Signature Algorithm) is a widely used asymmetric cryptographic algorithm based on elliptic curve cryptography (ECC). It’s commonly used in secure communications, blockchain, and digital signatures.

What is Ed25519?

Ed25519 is a modern public-key signature algorithm based on the Edwards-curve Digital Signature Algorithm (EdDSA), specifically using the Curve25519 elliptic curve. It is designed to be fast, simple, and resistant to common cryptographic vulnerabilities.

ECDSA vs. Ed25519 Key Differences

FeatureECDSAEd25519
Algorithm TypeElliptic Curve DSAEdwards-curve DSA
Curvesecp256r1, secp256k1, etc.Curve25519
Key Size256-bit (secp256r1)256-bit
Signature SizeVariable (~64-72 bytes)64 bytes
Deterministic Signatures❌ Requires random nonce✅ Always deterministic
PerformanceSlower verificationFaster signing & verification
SecurityStrong but depends on nonce randomnessMore resistant to implementation flaws
Private Key Shape32-byte scalar (can be DER-encoded in PEM format)32-byte seed (often stored with a 64-byte expanded form)