Skip to main content

Prime REST API Requests

To start using the Prime REST API, open a Coinbase Prime account, create an API key, and authenticate.

The REST API has endpoints for account and order management as well as public market data.


Requests and responses have an application/json Content-Type and follow standard HTTP response status codes for success and failures.

Creating a Request

Request bodies should have content type application/json and be valid JSON. For instructions on creating a valid X-CB-ACCESS-SIGNATURE, see API Authentication.

curl --request GET \
--url '<API_PATH>' \
--header 'X-CB-ACCESS-KEY: <ACCESS_KEY>' \
--header 'Content-Type: application/json'

Retrieving IDs

Many API requests require either a portfolio_id or an entity_id value:

Sample Requests

The following Python and JavaScript snippets demonstrate an end-to-end Prime API request.


import json, hmac, hashlib, time, requests, base64
from requests.auth import AuthBase
class CoinbasePrimeAuth(AuthBase):
def __init__(self, key, secret, passphrase):
self.api_key = key
self.secret_key = secret
self.passphrase = passphrase
def __call__(self, request):
timestamp = str(int(time.time()))
message = timestamp + request.method + request.path_url.split('?')[0] + str(request.body or '')
signature ='utf-8'), message.encode('utf-8'), digestmod=hashlib.sha256).digest()
signature_b64 = base64.b64encode(signature).decode()
'X-CB-ACCESS-SIGNATURE': signature_b64,
'X-CB-ACCESS-KEY': self.api_key,
'X-CB-ACCESS-PASSPHRASE': self.passphrase,
'Accept': 'application/json'
return request
def get_an_order():
api_url = ''
api_key = "YOUR_API_KEY_HERE"
api_secret = "YOUR_API_SECRET_HERE"
auth = CoinbasePrimeAuth(api_key, api_secret, passphrase)
portfolio_id = "YOUR_PORTFOLIO_ID_HERE"
order_id = "YOUR_ORDER_ID_HERE"
# Get accounts
resp = requests.get(api_url + f'/v1/portfolios/{portfolio_id}/orders/{order_id}', auth=auth)
resp_json = json.loads(resp.text)
if __name__ == "__main__":


// native NodeJS https module
const https = require('https');
// Google's crypto-js packae via
const CryptoJS = require('crypto-js');
// Derived from your Coinbase Prime API Key
// SIGNING_KEY: the signing key provided as a part of your API key
// ACCESS_KEY: the access key provided as a part of your API key
// PASSPHRASE: the PASSPHRASE key provided as a part of your API key
const SIGNING_KEY = process.env.SIGNING_KEY;
const ACCESS_KEY = process.env.ACCESS_KEY;
const PASSPHRASE = process.env.PASSPHRASE;
const REST_METHODS = {
// Your unique entity ID
const ENTITY_ID = process.env.ENTITY_ID;
// A specific portfolio ID (only necessary if relevant to the request you're making)
const PORTFOLIO_ID = process.env.PORTFOLIO_ID;
// The base URL of the API
const PROD_URL = '';
// The path of the API endpoint being called
let requestPath = `/v1/portfolios/${PORTFOLIO_ID}`;
// The method of the request: GET, POST, PUT, DELETE, etc
let method = REST_METHODS.GET;
// Request signatures require a current UNIX timestamp in seconds that is
// embedded in the signed payload to verify against server clock.
const currentTimeInSecs = Math.floor( / 1000);
// Body will be JSON (POST) or empty string (GET)
const body = '';
// Function to generate a signature using CryptoJS
function sign(str, secret) {
const hash = CryptoJS.HmacSHA256(str, secret);
return hash.toString(CryptoJS.enc.Base64);
// Function to build the payload required to sign
function buildPayload(ts, method, requestPath, body) {
return `${ts}${method}${requestPath}${body}`;
// Build the string we want to sign using information defined above
const strToSign = buildPayload(currentTimeInSecs, method, requestPath, body);
// Sign it!
const sig = sign(strToSign, SIGNING_KEY);
// Use Postman's scripting objects to append the header values
const headers = new Map();
headers.set('X-CB-ACCESS-KEY', ACCESS_KEY);
headers.set('X-CB-ACCESS-SIGNATURE', sig);
headers.set('X-CB-ACCESS-TIMESTAMP', currentTimeInSecs);
headers.set('Content-Type', 'application/json');
const requestOptions = {
hostname: PROD_URL,
path: requestPath,
headers: Object.fromEntries(headers),
https.get(requestOptions, res => {
let data = [];
console.log('Status Code:', res.statusCode);
res.on('data', chunk => {
res.on('end', () => {
console.log('Response ended: ');
const parsedResponse = JSON.parse(Buffer.concat(data).toString());
}).on('error', err => {
console.log('Error: ', err.message);


Unless otherwise stated, bad requests respond with HTTP 4xx or 5xx status codes. The body also contains a message parameter indicating the cause.

Your implementation language's HTTP library should be configured to provide message bodies for non-2xx requests so that you can read the message field from the body.

Common error codes

Error CodeMeaningDescription
400Bad RequestInvalid request format
401UnauthorizedInvalid API Key
403ForbiddenYou do not have access to the requested resource
404Not FoundRequested resource could not be found
500Internal Server ErrorServer-side error occurred


A successful response is indicated by HTTP status code 200 and may contain an optional body. If the response has a body, it will be documented under the related endpoint resource below.

Was this helpful?