Authentication overview
CoinGecko's API utilizes API keys for authenticating requests. This mechanism identifies the requesting application and associates it with a specific user account and subscription tier, thereby enforcing appropriate rate limits and access permissions. The authentication process for CoinGecko's API is consistent across its various plans, from the API Free Plan to the Enterprise tiers.
When making requests, the presence and validity of an API key determine whether the request is processed and at what rate. Endpoints that retrieve market data, historical prices, NFT data, or other premium information generally require authentication. While some basic endpoints might be accessible without a key on the free tier, consistent and higher-volume access, especially for commercial applications, necessitates proper API key integration.
API keys act as a secret token; their compromise can lead to unauthorized usage of a user's allocated API request quota. Therefore, secure handling of these keys is a critical aspect of integrating with the CoinGecko API.
Supported authentication methods
CoinGecko primarily supports API key authentication. This method involves including a unique, secret key with each request to the API. The specifics of how the key is passed depend on the user's subscription tier.
| Method | When to Use | Security Level | Client-Side Use |
|---|---|---|---|
| API Key (Free Plan) | For general access to the API Free Plan, typically passed as a query parameter. | Moderate (requires secure handling) | Discouraged (risk of exposure) |
| API Key (Pro/Business/Enterprise) | For higher rate limits and advanced features available on paid plans, passed as a custom HTTP header. | High (when used correctly in headers) | Discouraged (risk of exposure) |
API Key for Free Plan
For users on the API Free Plan, the API key is typically included as a query parameter directly within the URL of the API request. While convenient for testing and simple integrations, this method means the API key might appear in server logs or browser history, increasing its exposure risk if not managed carefully.
API Key for Pro, Business, and Enterprise Plans
Paid plans (Pro, Business, Enterprise) utilize a more secure method where the API key is passed as a custom HTTP header, specifically x-cg-pro-api-key. This approach is generally preferred over query parameters because HTTP headers are less likely to be cached or logged in the same way as URL parameters, reducing some exposure vectors. This method aligns with common practices for RESTful API authentication where secrets are transmitted outside the URL path or query string.
Organizations like AWS API Gateway also recommend using custom headers or authorization headers for API keys to enhance security, aligning with industry best practices for API key management.
Getting your credentials
To obtain your CoinGecko API key, you need to register an account on the CoinGecko website and navigate to the API section of your user dashboard.
- Create a CoinGecko Account: Go to the CoinGecko homepage and sign up for a new account if you don't already have one.
- Access API Dashboard: Once logged in, locate the 'API' or 'Developer' section within your account dashboard. The exact navigation may vary, but it's typically found under user settings or a dedicated API menu item.
- Generate API Key: Within the API dashboard, there will be an option to generate a new API key. For free tier users, a key might be automatically provided or easily generated. For paid plans, you will need to subscribe to a Pro, Business, or Enterprise plan first, after which your unique API key will become available.
- Securely Store Your Key: After generation, the key will be displayed. It is crucial to copy this key immediately and store it in a secure location. CoinGecko typically provides the key only once for security reasons, meaning you might not be able to retrieve it again if lost, only regenerate a new one.
For paid plans, ensure your subscription is active, as the API key is directly linked to your plan's features and rate limits. Details regarding specific plan features and associated API access are outlined on the CoinGecko API pricing page.
Authenticated request example
The following examples demonstrate how to make an authenticated request to the CoinGecko API, distinguishing between the free tier (query parameter) and paid tiers (HTTP header). For these examples, we'll assume an endpoint like /simple/price to fetch cryptocurrency prices.
Free Plan API Key (Query Parameter)
For free users, the API key is typically appended as a query parameter, such as x_cg_demo_api_key.
curl -X GET "https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd&x_cg_demo_api_key=YOUR_FREE_API_KEY"
import requests
api_key = "YOUR_FREE_API_KEY"
url = f"https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd&x_cg_demo_api_key={api_key}"
response = requests.get(url)
print(response.json())
Pro/Business/Enterprise Plans API Key (HTTP Header)
For paid subscribers, the API key is passed in a custom HTTP header, x-cg-pro-api-key.
curl -X GET "https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd" \
-H "x-cg-pro-api-key: YOUR_PRO_API_KEY"
import requests
api_key = "YOUR_PRO_API_KEY"
headers = {
"x-cg-pro-api-key": api_key
}
url = "https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd"
response = requests.get(url, headers=headers)
print(response.json())
Replace YOUR_FREE_API_KEY or YOUR_PRO_API_KEY with your actual API key obtained from your CoinGecko dashboard. The specific endpoint parameters (ids, vs_currencies) should be adjusted according to the data you wish to retrieve, as described in the CoinGecko API documentation.
Security best practices
Securing your CoinGecko API keys is essential to prevent unauthorized access, avoid exceeding rate limits due to fraudulent usage, and maintain the integrity of your applications. Adherence to these best practices helps mitigate common security risks:
- Do Not Expose API Keys in Client-Side Code: Never embed your API keys directly into client-side code (e.g., JavaScript in web browsers, mobile app binaries). This makes the key publicly viewable and vulnerable to extraction. All requests requiring an API key should originate from your secure backend server.
- Use Environment Variables or Secret Management Services: Store your API keys in environment variables (e.g.,
COINGECKO_API_KEY) or a dedicated secret management service (e.g., Google Cloud Secret Manager, AWS Secrets Manager) on your server. This prevents the key from being committed to version control systems like Git and keeps it out of application source code. - Never Hardcode API Keys: Avoid embedding API keys directly into your source code files. Hardcoded keys are difficult to rotate and pose a significant security risk if the codebase is ever compromised.
- Restrict API Key Privileges (if applicable): While CoinGecko API keys generally grant access based on the subscription tier, if there are future options to restrict key permissions (e.g., read-only vs. write access), always apply the principle of least privilege. Grant only the necessary permissions required for your application's functionality.
- Implement IP Whitelisting (if available): If CoinGecko offers IP whitelisting capabilities for paid plans, configure your API keys to only accept requests from a predefined set of trusted IP addresses belonging to your servers. This adds an extra layer of security, preventing unauthorized access even if the key is stolen.
- Monitor API Usage: Regularly monitor your API usage through your CoinGecko dashboard. Unusual spikes in requests or access patterns could indicate a compromised key.
- Key Rotation: Periodically rotate your API keys, especially if you have a large team or if there's any suspicion of compromise. Regenerating a key invalidates the old one, forcing any unauthorized users to re-authenticate with a new, valid key.
- Secure Communication (HTTPS): Always ensure that all your API requests are made over HTTPS. This encrypts the data in transit, protecting your API key and other sensitive information from interception during transmission. CoinGecko's API endpoints are served over HTTPS by default, but client-side configuration must also ensure this.
- Error Handling: Implement robust error handling for API authentication failures. Avoid providing verbose error messages that might reveal sensitive information about your authentication setup.
By diligently applying these practices, developers can significantly enhance the security posture of their applications integrating with the CoinGecko API.