Coinbase Advanced API Tutorial (2026)

The Coinbase Advanced API lets you automate trading, pull live balances, and feed data into your own bots, dashboards, or AI workflows. If you’ve outgrown clicking buttons in the web interface, this is how you scale up.

This tutorial walks through creating API keys, authenticating safely, and running real Python examples against the Advanced Trade API.

Before you start

You’ll need:

• A funded Coinbase account with Advanced access
• Python 3.10+ installed
• Basic comfort with the command line

You also need to accept one rule before writing a single line: never put API keys in your source code or a public repo. Use environment variables. We’ll show how.

Step 1: Create your API keys

1. Log in and go to your Coinbase API settings (under Settings → API).
2. Click Create API key and choose the Advanced Trade scope.
3. Set permissions deliberately:
   • view — read balances and market data (safe, read-only)
   • trade — place and cancel orders (powerful — enable only if needed)
   • Do not enable transfer/withdrawal permissions for a trading bot
4. Restrict the key to a specific IP allow-list if you’re running from a fixed server.
5. Save the key name and private key somewhere secure. The private key is shown once.

Coinbase uses ECDSA (or Ed25519) key pairs for the modern Advanced Trade API, not the old static secret. You’ll get a key name and a PEM-formatted private key.

Get API access on Coinbase Advanced →

Step 2: Install the SDK

Coinbase publishes an official Python SDK that handles request signing for you:

pip install coinbase-advanced-py

This is far less error-prone than hand-signing JWTs. Use it unless you have a strong reason not to.

Step 3: Store credentials as environment variables

Never hardcode keys. Put them in your shell profile or a .env file that’s in .gitignore:

export COINBASE_API_KEY="organizations/.../apiKeys/..."
export COINBASE_API_SECRET="-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----"

Step 4: Authenticate and fetch balances

import os
from coinbase.rest import RESTClient

client = RESTClient(
    api_key=os.environ["COINBASE_API_KEY"],
    api_secret=os.environ["COINBASE_API_SECRET"],
)

# List your accounts and balances
accounts = client.get_accounts()
for acct in accounts["accounts"]:
    bal = acct["available_balance"]
    if float(bal["value"]) > 0:
        print(f"{bal['currency']}: {bal['value']}")

This read-only call confirms your authentication works. If you see your balances, the key is valid and the SDK is signing requests correctly.

Step 5: Get live market data

# Current best bid/ask for BTC-USD
product = client.get_product("BTC-USD")
print("Price:", product["price"])

# Recent candles (1-hour granularity)
candles = client.get_candles(
    product_id="BTC-USD",
    start="1717200000",
    end="1717286400",
    granularity="ONE_HOUR",
)
print(candles["candles"][:3])

Market-data endpoints don’t require the trade permission, so you can build dashboards and research tools with a read-only key.

Step 6: Place a limit order

This requires the trade permission. Start small and on a test amount until you trust your code:

import uuid

order = client.limit_order_gtc_buy(
    client_order_id=str(uuid.uuid4()),
    product_id="BTC-USD",
    base_size="0.001",     # amount of BTC
    limit_price="60000",   # your limit price in USD
)
print(order)

limit_order_gtc_buy places a good-til-canceled limit order — a maker order, so you pay the lower fee. The client_order_id is a unique idempotency token; reusing one prevents accidental duplicate orders.

Step 7: Cancel an order

order_id = "your-order-id-here"
result = client.cancel_orders(order_ids=[order_id])
print(result)

A safe starter workflow

Build up trust in stages:

1. Read-only first. Run for days with a view-only key, logging balances and prices.
2. Paper-trade your logic. Compute what your bot would do and log it, without placing orders.
3. Tiny live orders. Enable trade, place minimum-size orders, verify fills.
4. Scale gradually. Only increase size once the code behaves exactly as expected.

Security checklist

Practice	Why it matters
Never commit keys to git	Leaked keys = drained or mis-traded account
Use environment variables	Keeps secrets out of source
Disable withdrawal permission	A trading bot never needs to move funds out
IP allow-list the key	Limits damage if the key leaks
Rotate keys periodically	Reduces exposure window
Add rate-limit handling	Avoid bans and missed orders under load

Rate limits and reliability

The Advanced Trade API enforces rate limits per key. Wrap calls in retry logic with exponential backoff, and respect the limits — hammering the API gets you throttled and can cause you to miss fills during volatile periods, which is exactly when your bot matters most.

What you can build with it

Once authentication is working, the API opens up a lot. Common projects worth building:

• A balance dashboard that pulls your holdings and USDC rewards into a single view, refreshed on a schedule.
• A DCA bot that places a small recurring limit order every day or week without you touching the app.
• An alert system that watches price or order-book depth and pings you when conditions you care about are met.
• A feed into AI tools — pipe live balances and recent fills into an LLM workflow to generate research notes or risk summaries.
• A reconciliation script that pulls your full transaction history for tax tooling.

Start with read-only versions of these. A dashboard and an alert system need no trade permission at all, so they’re the safest place to build confidence in your code before you ever enable order placement.

Bottom line

The Coinbase Advanced API is well-documented, has an official Python SDK, and uses modern key-pair authentication. Start read-only, store secrets in environment variables, disable withdrawal permissions, and scale your live trading slowly. Once it’s wired up, you can automate orders, feed balances into AI tools, and build whatever your strategy needs.

Not financial advice. Crypto involves real risk. Trade only what you can afford to lose.