OAuth2 Permissions

Different applications require different access to user’s accounts and Coinbase Connect provides many options to finetune the access. Options range from accounts and API endpoints accessed by API consumer. For full list of options, visit OAuth2 reference.

Account access

Coinbase Connect applications can request different access to user’s wallets. This access is defined by account parameter on OAuth2 authorization URL. Available options are:

  • select (default) Allow user to pick the wallet associated with the application
  • new Application will create a new wallet (named after the application)
  • all Application will get access to all of user’s wallets

Please keep in mind that wallet access is still used together with OAuth2 scopes (see below). This means that account=all combined with scope=wallet:buys:create can create buys on all of user’s wallets but won’t for example give access to sell on any of their accounts.

By passing an extra parameter account_currency you can specify which accounts a user can pick when using account=select option. For example if you would like to limit account options to only BTC and ETH accounts, then pass account_currency=BTC,ETH. By default, all crypto currency accounts will be presented.

OAuth2 Permission Scopes

For OAuth2, permissions are specified by including an additional scope parameter in your OAuth2 request. For example, your app may only need to view a user’s accounts and transaction history, but may not need or want the ability to send/receive and buy/sell bitcoin, ethereum, or litecoin. Multiple permissions should be separated with a comma character in the URL (i.e. &scope=wallet:accounts:read,wallet:transactions:read).

It’s recommended that you only ask for permissions that your application needs. If you need to obtain more permissions later, you can re-authenticate the user, forcing the user to consider authorizing additional permissions the next time s/he opens the app.

Here is an example request URL with a scope parameter on the end:

https://www.coinbase.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_CALLBACK_URL&scope=wallet:accounts:read,wallet:transactions:read

Full list of permission scopes

Send limits

To better protect Coinbase users, the wallet:transactions:send permission requires additional OAuth authorize parameters and two factor authentication. Here is a list of additional parameters:

Parameter Description
meta[send_limit_amount] A limit to the amount of money your application can send from the user’s account. This will be displayed on the authorize screen
meta[send_limit_currency] Currency of send_limit_amount in ISO format, ex. BTC, USD
meta[send_limit_period] How often the send money limit expires. Default is month - allowed values are day, month and year

Here is an example redirect URL with a send money limit of $50 USD per day specified:

https://www.coinbase.com/oauth/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=YOUR_CALLBACK_URL&
    scope=wallet:transactions:send&
    meta[send_limit_amount]=50&
    meta[send_limit_currency]=USD&
    meta[send_limit_period]=day

For new applications, meta[send_limit_amount] is limited to $100 per user. To increase this default limit, you can request a limit increase from your application’s settings. Each user who has successfully authenticated your app can also modify this limit later from his/her account settings. Rather than requesting unnecessarily high limits for all your users, it’s preferable both for security and for user experience purposes to encourage your users to personalize their limits to their own tolerances and needs.

Send limits are access token specific, which means that the limit is per user. In most cases your application should only request a maximum limit of $500. Remember, your users can update this limit from their application settings after approving the application.