Securing your CDP API keys is crucial when using the Coinbase Developer Platform. Exposed credentials can lead to compromised accounts and financial loss.Follow these best practices to keep your CDP API keys secure.
Embedding API keys in code increases the risk of accidental exposure. When sharing code, you might forget to remove embedded keys.Instead: Store keys in environment variables or files outside your application’s source tree.
Limiting key access to specific sources reduces the impact of compromised credentials. Use the allowlist feature to specify IPs or CIDRs, ensuring API requests are only honored from your defined origins.
When multiple APIs are enabled in your project, restrict JWT token usage to specific APIs to prevent replay attacks. Include the API request path in the signing body to ensure signatures work only for their intended API.
Regular key rotation reduces the risk of long-term key compromise. Since Coinbase Developer Platform uses asymmetric cryptography, key rotation requires creating new keys and deleting old ones.
Secret API keys are used for server-side authentication and must be kept private for maximum security. These keys should never be exposed in client-side code or public repositories.
Restrict the use of your Secret API key to specific IPs (IPv4 and IPv6 supported). This provides an additional layer of security by ensuring requests can only originate from your authorized servers.Steps to configure IP allowlist:
Click API keys on the left side navigation bar.
Navigate to the API key you’d like to edit and click Manage.
Click Edit Key and expand API restrictions.
Add an IP or CIDR under IP allowlist and save the changes.
Restrict the use of your Client API key to specific domains by validating the Origin header in API requests. This prevents unauthorized websites from using your key.
Important considerations when using domain allowlists:
If domains are allowlisted, any API request without an Origin header will be rejected
Allowlisting a parent domain (e.g., example.com) does not automatically include its subdomains (e.g., sub.example.com)
Wildcards are not supported; each domain must be explicitly specified