I am using Spring 5 and Java 8 to create an application to use Coinbase Pro to make trades for myself and others. I have a coinbase.properties file and it has the following properties:
authorize.url=https://www.coinbase.com/oauth/authorize
access.url=http://www.coinbase.com/oauth/token
token.url=https://api.coinbase.com/oauth/token
current.user.url=https://api.coinbase.com/v2/user
I can call the authorize page for Coinbase, and the user allows Authorization. After Authorization, it comes back to my callback page with a code and the state I originally sent. I can use that code to generate an access_token and refresh_token. I save that refresh_token in the database because I know the access_token is only good for 2 hours, and if I want to do something again, I can use the refresh_token to get a new access_token and new refresh_token ... all good.
So, as you can see, I am using Oauth2 to authenticate to Coinbase. I can use the user.url to get information about the user passing in the user id. Of course, I also have to pass in the access_token:
header: Authorization: Bearer {access_token}
So, the first question is ... can I use this OAuth mechanism for Coinbase Pro and the Coinbase Pro Sandbox to make trades for myself and others??? When looking up Coinbase Pro, I saw only the REST API link:
https://api.pro.coinbase.com (not interested in the FIX link)
I am guessing I would have to change my properties to:
authorize.url=https://www.coinbase.com/oauth/authorize
access.url=http://www.coinbase.com/oauth/token
token.url=https://api.pro.coinbase.com/oauth/token
current.user.url=https://api.pro.coinbase.com/v2/user
order.url=https://api.pro.coinbase.com/orders
The Coinbase Pro REST API documentation for /orders talks about the API Key and signing the message. But that looks like if I am only making trades for myself. If I am making trades for others, then I am using Oauth2 which absolutely seems the way to go.
I am testing out the functionality of the sell/trade orders, and I can use Sandbox for this. Sandbox is a little different, there we have a base endpoint and REST api endpoint:
# https://public.sandbox.pro.coinbase.com/
# https://api-public.sandbox.pro.coinbase.com
In this case, if I am using Oauth2 for authentication, I would expect the following:
authorize.url=https://public.sandbox.pro.coinbase.com/oauth/authorize
access.url=https://public.sandbox.pro.coinbase.com/oauth/token
token.url=https://api-public.sandbox.pro.coinbase.com/oauth/token
current.user.url=https://api-public.sandbox.pro.coinbase.com/v2/user
order.url=https://api-public.sandbox.pro.coinbase.com/orders
In this way, I am using Oauth2 authentication with Coinbase Pro sandbox That way I can use the access_token to make trades for myself and others. I am looking at the documentation for Coinbase Pro, and when it comes to making orders. I am presuming that I also need to add the header for "Authentication" Bearer {access_token}
If this is all correct, then I am well on my way. I just wanted to have verification that I was on the right road, and if I am not, then any help would be very useful. Of course, if I can't use Oauth2 authentication to make trades for myself and others with Coinbase Pro, then I'd need to look into that.
Thanks!
After much research and "trial and error," I have found that Coinbase (standard) uses Oauth2, which means we can use this secure mechanism to make trades for others. However, it costs more per trade, and you do not get the trade details you would from Coinbase Pro.
Coinbase Pro is a completely different animal technically than what any web-site will say. Coinbase Pro does NOT use Oauth2 in any way, shape, or form. It has no mechanism for allowing someone to trade on someone else's behalf. It uses an API Key which allows you to create a passphrase, you have a Secret Key and a Public Key which you can use to create bots to trade for you and you alone.
This means any web-site, like CryptoHopper, force you to enter your API key secret information into their site which is monumentally a bad idea. Because a user enters their keys into that system, then CryptoHopper can use those keys to make trades for you. However, the security is a big concern. I would hope that CryptoHopper would double-encrypt that data in case their data gets compromised.
This answers my question that Coinbase has a bunch of standard Oauth2 REST API's that make it secure for trading utilizing access and refresh tokens.
Coinbase Pro has its own endpoint for REST: https://api.pro.coinbase.com You log into Coinbase Pro and you can create your API Keys there.
Coinbase Pro SANDBOX has its own endpoint for REST:
https://api-public.sandbox.pro.coinbase.com
And the web-site is: https://public.sandbox.pro.coinbase.com Once you log into this site, you can see there are dummy bank accounts, and you can create "sandbox" API keys so you can make trades against this dummy system.
It was my mistake that Coinbase Pro, sandbox or not, had anything to do with Oauth2.
Hope this helps someone else.