API keys can now be customized in a number of ways.
Users can now have multiple API keys, the keys have a secret to sign requests and you can set granular permissions and whitelist IPs for each and every key separately.
Multiple API keys
Until now, users on Coinbase could enable an API key and then use it to make all sorts of requests to our API.
This meant a single API key with global permissions that you had to be very careful with.
So today, we’re excited to introduce the ability for each user to have multiple API keys with different sets of permissions.
New HMAC keys and the deprecation of old keys
Another change we’re making is we are deprecating the old style of API keys, which were just a key string that you’d put in the request’s parameters.
All keys created from now on, will be accompanied by a secret, that you will use to sign requests as you make them.
What happened to the old API key?
If you’ve previously enabled API key access on your account, don’t worry, it’s still working.
Your old API key has been migrated to the new multi-key architecture and you will see it in the list of API keys, marked as deprecated.
We recommend that you move to the new, more secure API keys + Secret as soon as possible.
We will be discontinuing support for the old simple API keys in August 2014.
More security per key
When creating or editing each key, you now have the option to specify exactly which permissions the key will afford.
To make things even more secure, you can now set whitelisted IP addresses for each individual key as well.
This makes it easier, for example, to have a global API key that affords all access, but requests with it will be allowed only from your home computer’s static IP.
More security on every step
We also ramped up the security regarding the manipulation of API keys.
You are now prompted for your password or two-factor authentication whenever you are trying to:
- create a new API key,
- edit an existing API key,
- view an API key.
You are also prompted for a special security token that is e-mailed to you whenever you try to re-enable a disabled API key.
When viewing each individual API key, you also see exactly when it was created and when was the last update made to it.
With all these changes we strive to remain the world’s most trusted Bitcoin platform. We have more updates coming in the next few weeks, so stay tuned!