The Coinbase cryptocurrency exchange platform offers REST API access for a variety of programmatic operations. You can access price information via public endpoints or access your account and trigger trade transactions. The latter requires calls to protected API endpoints and you need to use an API key and a secret. They will be used to generate an HMAC signature which must be sent as part of the request HTTP header for client authentication. See the Coinbase API reference guide for more information on API Key Authentication .
For writing this article, I used the below versions of Postman and the Coinbase API.
Obtain your Coinbase API Key and Secret
You must first log into your Coinbase account and generate a new API key and secret. Click on your profile image and select Settings.

Navigate to the API tab and click on the New API Key button. Your existing API keys are shown on this page as well.

A dialog will appear and allow you to configure the new key’s permissions. Always follow the Principle of least Privilege and only grant access privileges that are truly needed by the user of the new key.

After generating your new API key, a confirmation dialog will show you the key and the secret. You need to take a note of the secret and store it in a safe location. You will not be able to view the secret ever again in your Coinbase account. Never share you secret and avoid hard-coding it in your source code or committing it to a source code repository. Once you have the API key and the API secret, you can make authenticated requests to the Coinbase API. In the next section, I am going to show how I used Postman to test the Coinbase REST API. I prefer testing an API with Postman first before writing any application code.
Create a new Collection in Postman and set Collection Variables
I highly recommend using Postman collections and variables when testing APIs. It facilitates reuse and allows for a structured organization of requests.
Create a new collection in Postman and set the collection variables as shown in table 1. These variables will be used by the pre-request script when generating
an HMAC signature and setting the required request headers. Make sure to first obtain a coinbase-api-key
and coinbase-api-secret
as shown in the previous section.
https://api.coinbase.com
<your-api-key>
<your-api-secret>
<generated-timestamp>
<generated-signature>
After creating a new collection, navigate to the Variables tab. Add the variables
listed in table 1 and set the values of the first 3 variables according to your Coinbase account.
That is, set the coinbase-api-base
, your coinbase-api-key
and coinbase-api-secret
. Use the CURRENT VALUE properties
for storing sensitive data because these values will not be exported or stored online. For more information on
this topic, see the Postman documentation on using variables.
Additionally, create the coinbase-api-timestamp
and coinbase-api-signature
variables, but leave
their values blank. These values will be auto-populated by the pre-request script.

Add new HTTP GET Request to Postman Collection
Add a new HTTP GET request to your newly created Postman collection. In this example, I am making an authenticated GET request to retrieve a list of all my Coinbase accounts, or wallets. The URL for this request is shown below.
https://api.coinbase.com/v2/accounts
In Postman, you can reference collection variables in various places. Here, I am using the collection variable {{coinbase-api-base}}
to inject the Coinbase REST API
base URL in the request’s URL field. In addition, authenticated requests require three mandatory headers.

Note that the value of these headers are linked to the respective collection variables shown earlier. The collection variables can now be read and set using pre-request scripts.
CB-ACCESS-KEY
{{coinbase-api-key}}
CB-ACCESS-SIGN
{{coinbase-api-signature}}
CB-ACCESS-TIMESTAMP
{{coinbase-api-timestamp}}
Using a Postman Pre-Request Script for Generating HMAC Signature
In Postman, a pre-request script can be used to generate the HMAC signature that needs to be sent in the request’s header. As the name suggests, this script is executed before Postamn executes the HTTP request. The script’s output can then be used in the request. For more information on Postman’s pre-request scripting, refer to the documentation on Scripting in Postman. In this example, I am defining a pre-request script to be executed before all requests in my collection because they all require authentication. Here is the JavaScript code of that pre-request script:
// 1. Import crypto-js library var CryptoJS = require("crypto-js"); // 2. Create the JSON request object var req = { timestamp: Math.floor(Date.now() / 1000), // seconds since Unix epoch method: pm.request.method, path: pm.request.url.getPath(), body: '', // empty for GET requests message: undefined, secret: pm.collectionVariables.get("coinbase-api-secret"), // read value from collection variable hmac: undefined, signature: undefined, }; // 3. Create the message to be signed req.message = req.timestamp + req.method + req.path + req.body; // 4. Create HMAC using message and API secret req.hmac = CryptoJS.HmacSHA256(req.message, req.secret); // 5. Obtain signature by converting HMAC to hexadecimal String req.signature = req.hmac.toString(CryptoJS.enc.Hex); // 6. Log the request console.info("request: ", req); // 7. Set Postman request's authentication headers for Coinbase REST API call pm.collectionVariables.set("coinbase-api-timestamp", req.timestamp); pm.collectionVariables.set("coinbase-api-signature", req.signature);
In summary, this pre-request script performs the following steps to generate the HMAC signature:
- Import the crypto-js cryptography library.
-
Create a JSON object that holds the request data. The HTTP method and complete request path are obtained with
pm.request.method
andpm.request.url.getPath()
. Similarly, the API secret is read from the collection variable withpm.collectionVariables.get("coinbase-api-secret")
-
The
req.message
property holds the text that will be signed. Thereq.body
property is the empty here since we are making a GET request. - Create a new HMAC token, using the message to be signed and your API secret.
- Obtain the HTTP request signature by converting the HMAC token to a hexadecimal string.
-
Set the timestamp and the signature headers of the request with
pm.collectionVariables.set("coinbase-api-signature", req.signature);
. -
Optionally, log the
req
JSON object to examine it in the Postman console.
Open your collection and navigate to the Pre-request Script tab and insert the script as shown below. It will then be executed before every request in the same collection.

When you execute this request, you will get a response listing all of your Coinbase accounts. You can use the exact same script to make other authenticated calls to the API, including executing trades and transferring cryptocurrency. After executing the request, you can see the actual values of the timestamp and the signature on the collection’s variables tab.
This excerpt from the response shows two cryptocurrency wallets, one for Ethereum 2, holding 0.54471172 ETH and another one for SushiSwap, with a balance of zero.
{ "pagination": { "key": "..." }, "data": [ { "id": "...", "name": "ETH2 Wallet", "primary": true, "type": "wallet", "currency": { "code": "ETH2", "name": "Ethereum 2", "color": "#8E76FF", "sort_index": 161, "exponent": 8, "type": "crypto", "address_regex": "^(?:0x)?[0-9a-fA-F]{40}$", "asset_id": "...", "slug": "ethereum-2" }, "balance": { "amount": "0.54471172", "currency": "ETH2" }, "created_at": "2021-06-22T23:16:32Z", "updated_at": "2021-06-23T16:40:49Z", "resource": "account", "resource_path": "/v2/accounts/...", "allow_deposits": false, "allow_withdrawals": false, "rewards": { "apy": "0.05", "formatted_apy": "5.00%", "label": "5.00% APR" } }, { "id": "...", "name": "SUSHI Wallet", "primary": true, "type": "wallet", "currency": { "code": "SUSHI", "name": "SushiSwap", "color": "#F055A2", "sort_index": 160, "exponent": 8, "type": "crypto", "address_regex": "^(?:0x)?[0-9a-fA-F]{40}$", "asset_id": "...", "slug": "sushiswap" }, "balance": { "amount": "0.00000000", "currency": "SUSHI" }, "created_at": "2021-06-19T23:51:17Z", "updated_at": "2021-06-19T23:51:17Z", "resource": "account", "resource_path": "/v2/accounts/2a367a50-9691-57f0-bb22-3c42dd4cec8b", "allow_deposits": true, "allow_withdrawals": true } ] }
