`send:bypass_2fa` scope is only allowed for reviewed applications

I am attempting to apply the send:bypass_2fa scope, but when I do I get the following error in the authorization screen:

I viewed my application, but do not see where it can be reviewed. How exactly does this occur?

Thank you for any assistance you can provide.

Hello @Mike-E! Thank you for taking an interest in trying out Coinbase APIs. For the details regarding your concern, we will check on this for you with our team. We will get back to you once we have more information. Keep in touch!


Hi @HakunaMatata I wanted to check in on this issue. Thank you for any update you can provide. :pray:

Hi @Mike-E! Thank you for checking in on this topic.

After following up with our product team, we have been informed that they are planning to deprecate this scope by end of year, due to the risk it can be used by attackers to skip 2FA to takeover an account and withdraw user funds without friction.

As they are planning to deprecate the send:bypass_2fa scope, there are no plans to update that error message at this time.

1 Like

Well, except for the other fully friction-inducing and overly-protective setting that you have employed with wallet:transactions:send is limited $1.00/day per user :stuck_out_tongue:

I am really disappointed to hear about this development. This is causing a huge headache for me. Consider that for my application:

  1. I create an access token for the exact amount needed to transfer (This is currently rebuffed with the above setting as captured here)
  2. Transfer the value
  3. Revoke/invalidate the token immediately after usage

It’s also frustrating to see the desired behavior implemented in Coinbase Exchange/Pro APIs.
They are excellent! Yet the Coinbase Retail APIs are holding up the show here with these overly burdensome and difficult-to-use scopes and restrictions.

And another thing :grin:

Consider that in my case I am sending Coinbase-to-Coinbase. So, the value is staying within your system with an identified email address/username. I think there’s a difference between sending in-network, and out-of-network (crypto address). Sending out of network is what a bad actor would do.

Sending in-network should be 2FA optional and sending out of network should be 2FA required. Thank you for your consideration.