Noob error check: 401 on new trading key

so i made a new key with view and trade permissions (was this correct?)

I keep getting the advice “make sure your permissions are correct.” However, there is only one way to set permissions for Trading Keys (I am aware of). I do not see a nice permissions configurator like I do with my profile API key for coinbase.

I am also using axios/JWT for the first time, so I might need some corrections, here also.

you’ll see that my key_name and key_secret are stored on a USB. I get these details from usb ok.

I get a 401/unauthorized. Just need some help getting my REST call right. Any help is appreciated.

here is my javascript:

const axios = require('axios');
const jwt = require('jsonwebtoken');
const fs = require('fs');

const data = fs.readFileSync('/Volumes/Extreme SSD/coinbaseSecurity/coinbase_cloud_api_key.json', 'utf8');
const json = JSON.parse(data);
const key_name =; 
const key_secret = json.privateKey; 
const uuid = `/${json.principal}`

const request_method = 'GET';
const request_host = '';
const request_path = '/api/v3/brokerage/accounts';
const service_name = 'retail_rest_api_proxy';

const jwt_payload = {
  aud: [service_name],
  iss: 'coinbase-cloud',
  nbf: Math.floor( / 1000),
  exp: Math.floor( / 1000) + 30,
  sub: key_name,
  uri: request_method + ' ' + request_host + request_path,

const jwt_header = {
  kid: key_name,
  nonce: Math.floor( / 1000).toString(),

const token = jwt.sign(jwt_payload, key_secret, {
  algorithm: 'ES256',
  header: jwt_header,

const getAccounts = async () => {
  try {
    const response = await axios.get(request_host + request_path + uuid, {
      headers: {
        'Authorization': 'Bearer ' + token,
        'Content-Type': 'application/json'
  } catch (error) {


May I suggest to forget about USB? Initially, of course…

Paste required values in code to prevent potential issues by parsing loaded file!? Make sure newlines are real newlines and are treated as such when you pass secret to sign function.

I see you are trying to get specific account but jwt is generated as if you would request all accounts. I guess this is real problem, you need to include uuid par also in uri part of payload.

You must generate a different JWT for each unique API request.

1 Like

should i copy/paste the key with the /n symbols, as in the example?

Yes, at least that is what I do.