OAuth2 security updates

To improve security with Coinbase API’s OAuth2 authentication we have rolled out several changes over the past week. These changes have been implemented to better protect both our users and developers using OAuth2.

New changes affect send and send:bypass_2fa scopes. From today onwards, applications are given the default maximum send limit of $100/day/user, defined by the meta[send_limit_amount] parameter the in OAuth2 authorization page. If your application needs to send more than that, you can request higher limits for your application from the application settings page. Our staff reviews applications on a regular basis and will try to respond within 48h.

Also send:bypass_2fa will require separate and additional approval, as we want to encourage developers to implement it for better account security.

Applications have until April 20. 2015 to migrate to the new limits and the security changes that we announced in December. We’ll also be informing all affected developers via email in the next few days.

If you have questions related to limits or the approval process, you can contact us at api@coinbase.com.

Please note: We’re hiring engineers (both in our San Francisco office and remote anywhere in the world). If you’re interested in speaking with us about a role we’ve set up a coding challenge that you can take in about 30–45 minutes. You can also apply through our careers site if you prefer to start the conversation that way.

Written by Jori Lallo