Hi there,
I’m testing out an OAuth2 integration with Coinbase’s “sign in with Coinbase” API, and I’m currently getting the following error when POSTing for the token:
‘Invalid request. Instead of a GET request, you should be making a POST with valid POST params. For more information, see Sign In With Coinbase OAuth2 Authentication | Coinbase Cloud’
Here’s my request, which is a POST and includes all the correct parameters (grant_type, redirect_uri, client_id, client_secret, and code):
POST https://api.coinbase.com/oauth/token
grant_type=authorization_code&redirect_uri=http%3A%2F%2F127.0.0.1%3A5000%2Foauth2%2Fcallback%2Fcoinbase-poc&client_id=[REDACTED]&client_secret=[REDACTED]&code=[REDACTED]
Also should note that the response is coming back as a 404, which is also a little confusing.
I’m currently trying to debug this more on my end, but is there something that I’m missing? Appreciate any insight here!
Hi @ian-ridian , thank you for taking an interest in trying out Coinbase APIs. For the details regarding your inquiry, we will check on this for you with our team to see how we can best assist. We’ll get back to you once we have more information. Keep in touch!
3 Likes
Hello @ian-ridian ! Thank you for taking interest in using Coinbase API. We understand that you are having some errors with your OAuth2 Integration.
As a workaround, you may try to follow these steps in integrating the OAuth2 and see if you are still having an error:
- You first need to register a new OAuth2 application at https://www.coinbase.com/oauth/applications/new.
- Fill out the registration form with accurate information then click Create Application.
- Once done, for initial testing, you may click on the sample authorize URL and proceed to the next step. But in actual development, you have to create your own authorization URL with the correct permission (OAuth2 permissions) and scope (Permissions (Scopes)).
- Select the proper account you want to give access to, review the permissions, and then click “Authorize”.
- You will be directed to your redirect uri with a temporary code. Copy and store the given temporary code.
- Exchange this code for an access token by making a POST request to https://api.coinbase.com/oauth/token
- You may use the token by passing it as a header when calling out API endpoints (E.g. Authorization → Bearer 6915ab99857fec1e6f2f6c078583756d0c09d7207750baea28dfbc3d4b0f2cb80)
Please also make sure that there is no error in the configuration of your request. Look for typos, whitespaces, or invalid JSON formatting. You can also try double checking the following:
- The request headers
- The query parameters
- The HTTP method
Please note that the access token expires in two hours. Once an access_token has expired, you will need to use the refresh_token to obtain a new access token and a new refresh token. The refresh token never expires but it can only be exchanged once for a new set of access and refresh tokens. If you try to make a call with an expired access token, a 401 response will be returned. For more details on how to integrate your OAuth2 app, you may check this out at this API Documentation.
We hope this helps.
2 Likes
Hello @BlackPanda! I appreciate the response. I have successfully gone through steps 1 through 5 – my testing is currently failing on step 6 (the token request).
I’m currently making the POST to the token endpoint with all the required parameters but am receiving a response that seems conflicting:
‘Invalid request. Instead of a GET request, you should be making a POST with valid POST params. For more information, see OAuth2’
and the response is returning a 404 which is confusing.
This is my request:
POST http://www.coinbase.com/oauth/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=authorization_code&redirect_uri=http%3A%2F%2F127.0.0.1%3A5000%2Foauth2%2Fcallback%2Fcoinbase-poc&client_id=2baabdd1362c6ac8c5133c9147a4993900b200f10f94d30ef2f858dd070f79ad&client_secret=[REDACTED]&code=40768431162eaba0bad1c7848fb946363f19b07bd00ed84d1ab196be2454cf8c
I also reconfirmed that I don’t have any typos/whitespace in the configuration on my side as well.
Do you have any insight? Is there any chance you can look into your logs to see if I’m doing something wrong? Here is my apps client ID: 2baabdd1362c6ac8c5133c9147a4993900b200f10f94d30ef2f858dd070f79ad
Thank you so much!
Ah I’m noticing that my app is attempting to make the callout via http and not https first, but then eventually makes the request via https and that results in the 404 
I’ll dig into that right now, but would appreciate any other insight as well!
Edit: Yep, that was it. Looks like I am unblocked. Thank you again for the quick response here!
Hi @ian-ridian! Thanks for letting us know it all worked out. Please reach out in the future if you need anything else. Have a great day!
3 Likes