Skip to main content

Create API Keys on Coinbase Developer Platform

This pages explains how create API keys on the Coinbase Developer Platform (CDP). Use these keys to authenticate requests to permissioned endpoints of the Advanced Trade REST API and WebSocket API channels.

CDP API Keys

Coinbase recommends that you generate new API keys on the Coinbase Developer Platform (CDP), formerly called Coinbase Cloud. Legacy authentication is currently still supported.

Auth Schemes

Advanced Trade API and the adjacent Sign in with Coinbase (SIWC) APIs support the following authentication schemes.

SchemeWho Should UseWhen to Use
CDP API keysIndividuals or applications for individual use

If you have security keys enabled on your account
  • With all Advanced REST APIs & WebSocket channels
  • With new Advanced API features like Portfolios
  • Can be used on SIWC APIs
OAuth2Applications serving many users
  • Can be used with Advanced REST API
  • Can be used with SIWC APIs
Legacy API Keys
- REST
- WebSocket		Individuals or applications for individual use
  • Can be used with Advanced REST API & WebSocket channels (except new features)
  • Can be used with SIWC APIs

Creating API Keys

  1. Log into Coinbase Developer Platform (CDP).
  2. Navigate to Access API keys.
  3. In the Create API key dialog, configure:
    • API key nickname.
    • Portfolio (e.g., Default).
    • Permission level (View, Trade, Transfer).
    • Allowlist IPs.
  4. Click Create & Download.
  5. Click Complete 2-factor authentication and enter your CDP 2FA code. The key automatically downloads as a JSON file.
  6. In the final popup, you can optionally copy the API Key Name and Private Key (which are also in the JSON download). Read the warning and click Got it to finish.
Click to enlarge
Image of cloud.coinbase.com

OAuth2

Use OAuth authentication if you're building an application for many users on top of the Advanced Trade APIs. See Sign in with Coinbase OAuth2 Integration to get a client set up and make authenticated calls.

Security Best Practices

Storing Credentials Securely

Store your credentials securely. If someone obtains your api_secret with the wallet:transfer:send permission, they will be able to send all the digital currency out of your account.

Avoid storing API keys in your code base (which gets added to version control). The recommended best practice is to store them in environment variables. Learn more about environment variables here. Separating credentials from your code base and database is always good practice.

API Key access is turned off by default on all accounts. To implement an API Key integration, you therefore must first enable it,and then take necessary precautions to store the API Key securely. You can always regenerate your API Key (or disable it) if you feel it has been compromised.

Validating SSL Certificates

It is also very important that your application validates our SSL certificate when it connects over https. This helps prevent a man in the middle attack. If you are using a client library, this may be turned on by default, but you should confirm this. Whenever you see 'verify SSL' you should always ensure it is set to true.

Additional Security for API Keys

For enhanced API Key security, we recommend that you whitelist IP addresses that are permitted to make requests with a particular API Key.

You can specify IP addresses to whitelist when creating a new API Key or editing an existing one.

Click to enlarge
Image of cloud.coinbase.com
Last updated on

Was this helpful?