Hello @Mike-E! Thank you for taking an interest in trying out Coinbase APIs. For the details regarding your concern, we will check on this for you with our team. We will get back to you once we have more information. Keep in touch!
Hi @Mike-E! Thank you for checking in on this topic.
After following up with our product team, we have been informed that they are planning to deprecate this scope by end of year, due to the risk it can be used by attackers to skip 2FA to takeover an account and withdraw user funds without friction.
As they are planning to deprecate the send:bypass_2fa scope, there are no plans to update that error message at this time.
Well, except for the other fully friction-inducing and overly-protective setting that you have employed with wallet:transactions:send is limited $1.00/day per user
I am really disappointed to hear about this development. This is causing a huge headache for me. Consider that for my application:
I create an access token for the exact amount needed to transfer (This is currently rebuffed with the above setting as captured here)
Transfer the value
Revoke/invalidate the token immediately after usage
It’s also frustrating to see the desired behavior implemented in Coinbase Exchange/Pro APIs.
They are excellent! Yet the Coinbase Retail APIs are holding up the show here with these overly burdensome and difficult-to-use scopes and restrictions.
Consider that in my case I am sending Coinbase-to-Coinbase. So, the value is staying within your system with an identified email address/username. I think there’s a difference between sending in-network, and out-of-network (crypto address). Sending out of network is what a bad actor would do.
Sending in-network should be 2FA optional and sending out of network should be 2FA required. Thank you for your consideration.