Authentication overview

CoinDesk's API provides developers with programmatic access to its extensive collection of cryptocurrency market data, news feeds, and indices. To ensure secure and controlled access to this data, all API requests must be authenticated. The primary authentication mechanism employed by CoinDesk is the use of API keys. These keys serve as unique identifiers and secret tokens, allowing the CoinDesk API to verify the identity of the requesting application and authorize access based on the user's subscription level and permissions.

Authentication is a prerequisite for making any calls to the CoinDesk API beyond the most basic, publicly available endpoints. Proper authentication ensures that only authorized applications consume API resources, helping to maintain service stability and enforce rate limits effectively. It also protects your data and API usage from unauthorized third parties. Developers integrating with the CoinDesk API should familiarize themselves with the process of obtaining and securely managing their API keys, as outlined in the official CoinDesk API documentation.

Supported authentication methods

CoinDesk primarily supports API key authentication for its data and news APIs. This method is common for web services where server-to-server communication or client-side applications need to access protected resources. The API key acts as a long-lived token that grants access upon presentation. While other authentication schemes like OAuth 2.0 are prevalent in many API ecosystems, CoinDesk's current model simplifies access by focusing on a direct API key approach.

The API key is typically passed in the request headers, ensuring it is part of every authenticated call. This practice aligns with standard security recommendations for API key usage, where keys should not be exposed in URLs or client-side code without additional protective measures. The security level of API keys largely depends on how they are stored and transmitted. When handled correctly, API keys provide a straightforward and effective way to manage access to the CoinDesk API.

Authentication methods table

Method When to Use Security Level
API Key Programmatic access to CoinDesk data, server-side applications, or trusted client environments. Moderate (depends heavily on secure storage and transmission practices).

Getting your credentials

To obtain your CoinDesk API credentials, you must first register for a CoinDesk account and subscribe to an API plan. CoinDesk offers a free basic API access tier with rate limits, as well as paid plans starting with the Developer Plan at $299/month, which provide higher request allowances and additional data access. Once your account is set up and your plan is active, you can generate your API keys through your CoinDesk account dashboard.

  1. Sign Up/Log In: Navigate to the CoinDesk website and either create a new account or log in to an existing one.
  2. Access API Dashboard: Locate the API section or developer dashboard within your account settings. This is typically where you manage your subscriptions and API keys.
  3. Generate API Key: Follow the instructions to generate a new API key. The dashboard usually provides an option to create a new key, often associated with a specific project or application for better organization and revocation control.
  4. Record Your Key: Once generated, the API key will be displayed. It is crucial to copy and store this key securely immediately. For security reasons, API keys are often shown only once and cannot be retrieved if lost. If lost, you may need to revoke the old key and generate a new one.

Ensure that you understand the terms of service and rate limits associated with your chosen plan, as exceeding these limits can result in temporary blocks or additional charges. Detailed instructions for key generation and management are available in the CoinDesk API documentation portal.

Authenticated request example

After obtaining your API key, you will typically include it in the Authorization header of your HTTP requests to the CoinDesk API. The specific header name and format are usually specified in the API documentation. For CoinDesk, a common pattern involves prefixing the API key with a scheme like Bearer or directly using a custom header name.

Here's an example using curl to fetch data from a hypothetical CoinDesk API endpoint, assuming the API key should be sent in an X-CoinDesk-API-Key header:


curl -X GET \
  'https://api.coindesk.com/v1/bpi/currentprice.json' \
  -H 'X-CoinDesk-API-Key: YOUR_API_KEY_HERE'

In this example:

  • YOUR_API_KEY_HERE should be replaced with the actual API key you generated from your CoinDesk account.
  • https://api.coindesk.com/v1/bpi/currentprice.json represents a placeholder for a CoinDesk API endpoint, which might provide real-time Bitcoin Price Index data.
  • The -H 'X-CoinDesk-API-Key: YOUR_API_KEY_HERE' part adds the custom header with your API key, authenticating your request.

Always refer to the specific CoinDesk API endpoint documentation for the exact header name and authentication scheme required for each API call, as these details can vary.

Security best practices

Securing your API keys is paramount to prevent unauthorized access to your CoinDesk account and data, potential abuse of your rate limits, and exposure of sensitive information. Adhering to industry-standard security practices for API key management is crucial.

  • Never hardcode API keys: Avoid embedding API keys directly into your source code. Instead, use environment variables, configuration files, or secure secret management services. This prevents keys from being exposed if your code repository is compromised.
  • Use environment variables for server-side applications: For applications running on servers, store API keys as environment variables. This makes them accessible to your application without being part of the codebase.
  • Implement client-side security carefully: If your application runs client-side (e.g., in a browser), direct exposure of API keys is a significant risk. Consider using a backend proxy to make API calls, where your server authenticates with CoinDesk and then serves data to your client. This way, the API key never leaves your server environment.
  • Restrict key permissions: While CoinDesk API keys generally grant access based on your subscription, if there were options for granular permissions, you would apply the principle of least privilege, granting only the necessary access.
  • Rotate API keys regularly: Periodically generate new API keys and revoke old ones. This practice reduces the window of opportunity for a compromised key to be exploited.
  • Monitor API usage: Keep an eye on your API usage statistics within your CoinDesk account dashboard. Unusual spikes in usage could indicate a compromised key.
  • Secure your development environment: Ensure that your local development machine and deployment pipelines are secure. Protect against malware and unauthorized access that could expose your credentials.
  • Use HTTPS: Always ensure that all communications with the CoinDesk API occur over HTTPS. This encrypts the data in transit, protecting your API key and other sensitive information from eavesdropping. The IETF RFC 7230 outlines general requirements for HTTP/1.1, which includes security considerations like the use of TLS.
  • IP Whitelisting (if available): If CoinDesk provides IP whitelisting functionality, enable it. This restricts API access exclusively to requests originating from a list of trusted IP addresses, adding another layer of security.
  • Error Handling: Implement robust error handling in your application to gracefully manage authentication failures without exposing sensitive information to end-users or logs.

By following these best practices, developers can significantly reduce the risk of API key compromise and maintain the security and integrity of their CoinDesk API integrations.