Coinbase API Requests with Authentication in Postman

Posted on by Stefan Posted in Coinbase

The Coinbase cryptocurrency exchange platform offers REST API access for a variety of programmatic operations. You can access price information via public endpoints or access your account and trigger trade transactions. The latter requires calls to protected API endpoints and you need to use an API key and a secret. They will be used to generate an HMAC signature which must be sent as part of the request HTTP header for client authentication. See the Coinbase API reference guide for more information on API Key Authentication .

For writing this article, I used the below versions of Postman and the Coinbase API.

  • Postman version 8.6.2 – download
  • Coinbase REST API version 2021-06-19 – reference

Obtain your Coinbase API Key and Secret

You must first log into your Coinbase account and generate a new API key and secret. Click on your profile image and select Settings.

Coinbase profile menu
Fig 1: Access your Coinbase account settings

Navigate to the API tab and click on the New API Key button. Your existing API keys are shown on this page as well.

Coinbase API settings
Fig 2: On the API tab, click on the new API key button

A dialog will appear and allow you to configure the new key’s permissions. Always follow the Principle of least Privilege and only grant access privileges that are truly needed by the user of the new key.

Coinbase API new key privilege configuration
Fig 3: Configure your API key according to the principle of least privilege
Warning: Never share your API Key or your API Secret.

After generating your new API key, a confirmation dialog will show you the key and the secret. You need to take a note of the secret and store it in a safe location. You will not be able to view the secret ever again in your Coinbase account. Never share you secret and avoid hard-coding it in your source code or committing it to a source code repository. Once you have the API key and the API secret, you can make authenticated requests to the Coinbase API. In the next section, I am going to show how I used Postman to test the Coinbase REST API. I prefer testing an API with Postman first before writing any application code.

Create a new Collection in Postman and set Collection Variables

I highly recommend using Postman collections and variables when testing APIs. It facilitates reuse and allows for a structured organization of requests. Create a new collection in Postman and set the collection variables as shown in table 1. These variables will be used by the pre-request script when generating an HMAC signature and setting the required request headers. Make sure to first obtain a coinbase-api-key and coinbase-api-secret as shown in the previous section.

Variable Name
Variable Value
Description
coinbase-api-base
https://api.coinbase.com
The Coinbase REST API base URL.
coinbase-api-key
<your-api-key>
The Coinbase REST API key for your account.
coinbase-api-secret
<your-api-secret>
The Coinbase REST API secret for your account.
coinbase-api-timestamp
<generated-timestamp>
Unix epoch timestamp of the request (ms).
coinbase-api-signature
<generated-signature>
The HMAC-based signature of the request (base64).
Table 1: Collection variables for Coinbase REST API authentication

After creating a new collection, navigate to the Variables tab. Add the variables listed in table 1 and set the values of the first 3 variables according to your Coinbase account. That is, set the coinbase-api-base, your coinbase-api-key and coinbase-api-secret. Use the CURRENT VALUE properties for storing sensitive data because these values will not be exported or stored online. For more information on this topic, see the Postman documentation on using variables.

Note: In Postman, use the CURRENT VALUE property to store sensitive data.

Additionally, create the coinbase-api-timestamp and coinbase-api-signature variables, but leave their values blank. These values will be auto-populated by the pre-request script.

Postman collection variables
Fig 4: Postman collection variables for authenticated Coinbase API calls

Add new HTTP GET Request to Postman Collection

Add a new HTTP GET request to your newly created Postman collection. In this example, I am making an authenticated GET request to retrieve a list of all my Coinbase accounts, or wallets. The URL for this request is shown below.

https://api.coinbase.com/v2/accounts

In Postman, you can reference collection variables in various places. Here, I am using the collection variable {{coinbase-api-base}} to inject the Coinbase REST API base URL in the request’s URL field. In addition, authenticated requests require three mandatory headers.

Postman Coinbase API GET request headers
Fig 4: Coinbase API GET request authentication headers

Note that the value of these headers are linked to the respective collection variables shown earlier. The collection variables can now be read and set using pre-request scripts.

Header Name
Variable Name
Description
CB-ACCESS-KEY
{{coinbase-api-key}}
Your Coinbase REST API access key
CB-ACCESS-SIGN
{{coinbase-api-signature}}
The generated HMAC signature
CB-ACCESS-TIMESTAMP
{{coinbase-api-timestamp}}
The request timestamp
Table 2: Request headers and collection variables for Coinbase REST API authentication

Using a Postman Pre-Request Script for Generating HMAC Signature

In Postman, a pre-request script can be used to generate the HMAC signature that needs to be sent in the request’s header. As the name suggests, this script is executed before Postamn executes the HTTP request. The script’s output can then be used in the request. For more information on Postman’s pre-request scripting, refer to the documentation on Scripting in Postman. In this example, I am defining a pre-request script to be executed before all requests in my collection because they all require authentication. Here is the JavaScript code of that pre-request script:

// 1. Import crypto-js library
var CryptoJS = require("crypto-js");

// 2. Create the JSON request object
var req = {
    timestamp: Math.floor(Date.now() / 1000), // seconds since Unix epoch
    method: pm.request.method,
    path: pm.request.url.getPath(),
    body: '', // empty for GET requests
    message: undefined,
    secret: pm.collectionVariables.get("coinbase-api-secret"), // read value from collection variable
    hmac: undefined,
    signature: undefined,
};

// 3. Create the message to be signed
req.message = req.timestamp + req.method + req.path + req.body;

// 4. Create HMAC using message and API secret
req.hmac = CryptoJS.HmacSHA256(req.message, req.secret);

// 5. Obtain signature by converting HMAC to hexadecimal String
req.signature = req.hmac.toString(CryptoJS.enc.Hex);

// 6. Log the request
console.info("request: ", req);

// 7. Set Postman request's authentication headers for Coinbase REST API call
pm.collectionVariables.set("coinbase-api-timestamp", req.timestamp);
pm.collectionVariables.set("coinbase-api-signature", req.signature);

In summary, this pre-request script performs the following steps to generate the HMAC signature:

  1. Import the crypto-js cryptography library.
  2. Create a JSON object that holds the request data. The HTTP method and complete request path are obtained with pm.request.method and pm.request.url.getPath(). Similarly, the API secret is read from the collection variable with pm.collectionVariables.get("coinbase-api-secret")
  3. The req.message property holds the text that will be signed. The req.body property is the empty here since we are making a GET request.
  4. Create a new HMAC token, using the message to be signed and your API secret.
  5. Obtain the HTTP request signature by converting the HMAC token to a hexadecimal string.
  6. Set the timestamp and the signature headers of the request with pm.collectionVariables.set("coinbase-api-signature", req.signature);.
  7. Optionally, log the req JSON object to examine it in the Postman console.

Open your collection and navigate to the Pre-request Script tab and insert the script as shown below. It will then be executed before every request in the same collection.

Postman collection pre-request script
Fig 5: Postman collection pre-request script for Coinbase API signature generation

When you execute this request, you will get a response listing all of your Coinbase accounts. You can use the exact same script to make other authenticated calls to the API, including executing trades and transferring cryptocurrency. After executing the request, you can see the actual values of the timestamp and the signature on the collection’s variables tab.

This excerpt from the response shows two cryptocurrency wallets, one for Ethereum 2, holding 0.54471172 ETH and another one for SushiSwap, with a balance of zero.

{
  "pagination": {
      "key": "..."
  },
  "data": [
      {
          "id": "...",
          "name": "ETH2 Wallet",
          "primary": true,
          "type": "wallet",
          "currency": {
              "code": "ETH2",
              "name": "Ethereum 2",
              "color": "#8E76FF",
              "sort_index": 161,
              "exponent": 8,
              "type": "crypto",
              "address_regex": "^(?:0x)?[0-9a-fA-F]{40}$",
              "asset_id": "...",
              "slug": "ethereum-2"
          },
          "balance": {
              "amount": "0.54471172",
              "currency": "ETH2"
          },
          "created_at": "2021-06-22T23:16:32Z",
          "updated_at": "2021-06-23T16:40:49Z",
          "resource": "account",
          "resource_path": "/v2/accounts/...",
          "allow_deposits": false,
          "allow_withdrawals": false,
          "rewards": {
              "apy": "0.05",
              "formatted_apy": "5.00%",
              "label": "5.00% APR"
          }
      },
      {
            "id": "...",
            "name": "SUSHI Wallet",
            "primary": true,
            "type": "wallet",
            "currency": {
                "code": "SUSHI",
                "name": "SushiSwap",
                "color": "#F055A2",
                "sort_index": 160,
                "exponent": 8,
                "type": "crypto",
                "address_regex": "^(?:0x)?[0-9a-fA-F]{40}$",
                "asset_id": "...",
                "slug": "sushiswap"
            },
            "balance": {
                "amount": "0.00000000",
                "currency": "SUSHI"
            },
            "created_at": "2021-06-19T23:51:17Z",
            "updated_at": "2021-06-19T23:51:17Z",
            "resource": "account",
            "resource_path": "/v2/accounts/2a367a50-9691-57f0-bb22-3c42dd4cec8b",
            "allow_deposits": true,
            "allow_withdrawals": true
       }
  ]
}
Request debugging with the Postman console
Fig 6: Use the Postman console for request debugging

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.