Sign in with Coinbase OAuth2 Tokens
Coinbase uses an optional security feature of OAuth2 called refresh tokens.
When you first authenticate, your app is given an access_token
and a refresh_token
. The access token is used to authenticate all your requests, but the access token expires in two hours. Once an access token has expired, you must use the refresh token to obtain a new access token and a new refresh token.
The refresh token never expires; but it can only be exchanged once for a new set of access and refresh tokens. If you try to make a call with an expired access token, a 401
response is returned.
You must use the refresh token to create new access and refresh tokens, but it can only be exchanged once.
This process adds some complexity for Sign in with Coinbase integrations, but provides an valuable layer of security since a compromised access token is automatically revoked after two hours.
Creating a New Access Token
To get a new access token, you must send a POST request to /oauth/token
as before; but this time you must include your refresh_token
and change the grant_type
to refresh_token
. Also, note that the code
and redirect_uri
parameters are not required for this request.
curl https://api.coinbase.com/oauth/token \
-X POST \
-d 'grant_type=refresh_token&
client_id=YOUR_CLIENT_ID&
client_secret=YOUR_CLIENT_SECRET&
refresh_token=REFRESH_TOKEN'
The expected result is a response containing the access token, as before:
{
"access_token":"...",
"token_type":"bearer",
"expires_in":7200,
"refresh_token":"...",
"scope":"all"
}
If you are using an OAuth2 library that supports refresh tokens, the library automatically takes care of these details.
Revoking an Access Token
Access tokens can be revoked manually if you want to disconnect your application's access to the user's account. Revoking can also be used to implement a log-out feature. You must supply the current access token twice, once to revoke it, and another to authenticate the request (either containing access_token
parameter or Authentication
header with bearer token). 200 OK
is returned for both successful and unsuccessful requests.
curl https://api.coinbase.com/oauth/revoke \
-X POST \
-d 'token=ACCESS_TOKEN'
-H 'Authorization: Bearer 6915ab99857fec1e6f2f6c078583756d0c09d7207750baea28dfbc3d4b0f2cb80'