Skip to main content

Sign in with Coinbase OAuth2 Integration

Registering OAuth2 Client

Before integrating Sign in with Coinbase, you need to register a new OAuth2 application under your API settings. If you're using a previous OAuth2 implementation, you may need to configure the following settings:

  • Authorize URL:
  • Access Token URL:

Integrating with OAuth2 Library

Coinbase recommends integrating your OAuth client with a battle-tested OAuth2 library so that you can simply plug in your client id, client secret, etc. Consider using one of the following OAuth2 libraries.

Integrating Manually


Use the following steps if you prefer not to integrate with a well-known OAuth2 library.

To integrate your third-party web server application with Coinbase, use the following flow:

1. Redirect users to request Coinbase access


When redirecting a user to Coinbase to authorize access to your application, you'll need to construct the authorization URL with the correct parameters and scopes. Here's a list of parameters you should always specify:

response_typeRequired Value code
client_idRequired The client ID you received after registering your application.
redirect_uriOptional The URL in your app where users will be sent after authorization (see below). This value needs to be URL encoded. If left out, your application's first redirect URI will be used by default.
stateOptional An unguessable random string to protect against cross-site request forgery attacks. Must be at least 8 characters long. Read more
scopeOptional Comma separated list of permissions (scopes) your application requests access to. Required scopes are listed under endpoints in the Full Scopes List

Example of an authorization URL:


You can further customize the authorization page and permissions. Read more at OAuth2 reference.

2. Coinbase redirects back to your site

If the user approves your application, Coinbase will redirect them back to your redirect_uri with a temporary code parameter. If you specified a state parameter in step 1, it will be returned as well. The parameter will always match the value specified in step 1. If the values don't match, the request should not be trusted.

Example of the redirect:


3. Exchange code for an access token

After you have received the temporary code, you can exchange it for valid access and refresh tokens. This can be done by making a POST call:


With following parameters:

grant_typeRequired Value authorization_code
codeRequired Value from step 2
client_idRequired The client ID you received after registering your application.
client_secretRequired The client secret you received after registering your application.
redirect_uriRequired Your application's redirect URI

Example request:

curl \
-d 'grant_type=authorization_code&code=4c666b5c0c0d9d3140f2e0776cbe245f3143011d82b7a2c2a590cc7e20b79ae8&client_id=1532c63424622b6e9c4654e7f97ed40194a1547e114ca1c682f44283f39dfa49&client_secret=3a21f08c585df35c14c0c43b832640b29a3a3a18e5c54d5401f08c87c8be0b20&redirect_uri='

After a successful request, a valid access token will be returned in the response:

"access_token": "6915ab99857fec1e6f2f6c078583756d0c09d7207750baea28dfbc3d4b0f2cb80",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "73a3431906de603504c1e8437709b0f47d07bed11981fe61b522278a81a9232b7",
"scope": "wallet:user:read wallet:accounts:read"

4. Make an API call

After you have a valid access token, you can make your first API call:

curl /
-H 'Authorization: Bearer 6915ab99857fec1e6f2f6c078583756d0c09d7207750baea28dfbc3d4b0f2cb80'

Example response:

"data": {
"id": "9da7a204-544e-5fd1-9a12-61176c5d4cd8",
"name": "User One",
"username": "user1",
"profile_location": null,
"profile_bio": null,
"profile_url": "",
"avatar_url": "",
"resource": "user",
"resource_path": "/v2/user"

Was this helpful?