Custody·Multi-chain · EVM · Solana · Bitcoin
Coinbase Prime
Institutional brokerage, agency trading, custody, and on-chain staking from Coinbase, combining the Coinbase Custody Trust qualified custodian with deep liquidity and a REST + WebSocket API for portfolios, orders, transfers, and onchain wallets.
- 01US qualified custody (Coinbase Custody Trust)
- 02institutional spot brokerage and agency trading
- 03staking-as-a-service
- 04portfolio-scoped treasury operations
- 05post-trade settlement at scale
| Variable | Scope | Description |
|---|---|---|
| COINBASE_PRIME_ACCESS_KEY | Server | Prime API access key (UUID) issued from the Prime portal for a specific portfolio. |
| COINBASE_PRIME_PASSPHRASE | Server | Passphrase chosen at API key creation; required in the `X-CB-ACCESS-PASSPHRASE` header. |
| COINBASE_PRIME_SIGNING_KEY | Server | Base64-encoded HMAC secret used to sign each request. |
| COINBASE_PRIME_PORTFOLIO_ID | Server | Default Prime portfolio ID to scope orders and transfers. |
Use Coinbase Prime's REST API for institutional brokerage, custody, and on-chain wallets. Authenticate every request with HMAC-SHA256 over `timestamp + method + requestPath + body` and send `X-CB-ACCESS-KEY`, `X-CB-ACCESS-PASSPHRASE`, `X-CB-ACCESS-SIGNATURE`, `X-CB-ACCESS-TIMESTAMP`. Common endpoints: `POST /v1/portfolios/{portfolio_id}/order` to place a TWAP/limit/market order, `POST /v1/portfolios/{portfolio_id}/wallets/{wallet_id}/transactions` to initiate a withdrawal, `GET /v1/portfolios/{portfolio_id}/balances` for balances, and `POST /v1/portfolios/{portfolio_id}/onchain_addresses` for deposit address allocation. The `coinbase-samples/prime-sdk-ts` and `prime-sdk-go` reference clients implement the auth scheme — fork or vendor them rather than rolling your own signer.
- ⚑Withdrawals require addresses pre-registered in Prime's allowlist; books with travel-rule counterparty info must be filed before the address can receive transfers.
- ⚑Every API key is scoped to a single portfolio — multi-portfolio integrations must hold one key set per portfolio and route requests by `portfolio_id`.
- ⚑Signature timestamps must be within ~30s of Prime's clock; serverless cold starts and certain edge runtimes drift enough to produce intermittent 401s — use a server-side time source.
- ⚑IP allowlisting is enabled by default for Prime API keys; deployments behind dynamic NAT or serverless egress need a fixed-IP NAT gateway.
- ⚑Trading and custody are governed by Coinbase Custody Trust (NYDFS-chartered) — certain assets are unsupported in NY and other US states, and high-value withdrawals trigger manual security review.
- ⚑Sandbox/UAT environments are limited; many integrators test directly against production with small amounts, which means typos can cost real money — gate by `process.env.NODE_ENV` and dry-run policy.
- ⚑The `coinbase-samples/*` repos are 'samples' — supported but not on Coinbase's main release cadence; pin commits and re-test on Prime API version bumps.