Both API key and OAuth2 authentication require that you obtain correct permissions (scopes) to access different API endpoints.
All authenticated endpoints, except
GET /user, require a specific scope to access them. Some endpoints might also have additional scopes for additional information or access. In general, permissions follow the
service-name:resource:action pattern, where the service is
wallet for the main Coinbase API.
With OAuth2, scopes should be considered as grants: Users can select which scopes they grant access to for the application. The application might need to request new scopes over the lifecycle of the authorization. To see which permissions the user has granted, you can use
GET /user/auth endpoint.
As a general rule, you should only ask for scopes which your application needs and avoid asking for access to unnessary ones. Users more readily grant access to limited, clearly described scopes.
Updated about 1 year ago