Coinbax API

OAuth 2.0

View as Markdown

List OAuth clients

GET/api/v1/oauth/clientsBearer token

List all OAuth clients for a platform

Query parameters

  • platformIdstringrequired
  • workspaceIdstringrequired

Responses

200List of OAuth clients
array of OAuthClientInfoDto
  • clientIdstringrequired

    Client ID

  • namestringrequired

    Client name

  • descriptionstring

    Client description

  • scopesarray of stringrequired

    Scopes granted to this client

    array of string
    string
  • isActivebooleanrequired

    Whether the client is active

  • createdAtstring (date-time)required

    When the client was created

  • lastUsedAtstring (date-time)

    When the client was last used

[
  {
    "clientId": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
    "name": "My Integration App",
    "description": "Third-party integration for transaction processing",
    "scopes": [
      "read:transactions",
      "write:transactions"
    ],
    "isActive": true,
    "createdAt": "2026-02-24T12:00:00Z",
    "lastUsedAt": "2026-02-24T14:30:00Z"
  }
]
curl https://api-staging.coinbax.com/api/v1/oauth/clients?platformId=<platformId>&workspaceId=<workspaceId> \
  -H "Authorization: Bearer $ACCESS_TOKEN"
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients?platformId=<platformId>&workspaceId=<workspaceId>', {
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
  },
});
const result = await response.json();

Create OAuth client

POST/api/v1/oauth/clientsBearer token

Register a new OAuth client for a platform. The client secret is only shown once.

Request body

  • platformIdstringrequired

    Platform ID the OAuth client belongs to

  • workspaceIdstring

    Optional workspace ID for workspace-scoped clients

  • namestringrequired

    Name of the OAuth client

  • descriptionstring

    Description of the OAuth client

  • scopesarray of stringrequired

    List of scopes the client is authorized for

    array of string
    string
  • grantTypesarray of string

    Grant types allowed for this client

    array of string
    string
  • redirectUrisarray of string

    Redirect URIs for authorization code flow (future use)

    array of string
    string

Responses

201OAuth client created successfully
  • clientIdstringrequired

    Generated client ID

  • clientSecretstringrequired

    Generated client secret (only shown once)

  • namestringrequired

    Name of the OAuth client

  • scopesarray of stringrequired

    Scopes granted to this client

    array of string
    string
  • createdAtstring (date-time)required

    When the client was created

  • warningstringrequired

    Warning about client secret storage

{
  "clientId": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
  "clientSecret": "coinbax_secret_x1y2z3a4b5c6d7e8f9g0h1i2j3k4l5m6n7o8p9q0",
  "name": "My Integration App",
  "scopes": [
    "read:transactions",
    "write:transactions"
  ],
  "createdAt": "2026-02-24T12:00:00Z",
  "warning": "Store the client secret securely. It will not be shown again."
}
400Invalid request or invalid scopes

Response follows the unified success / data / meta / error envelope.

curl -X POST https://api-staging.coinbax.com/api/v1/oauth/clients \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "platformId": "550e8400-e29b-41d4-a716-446655440000",
  "workspaceId": "550e8400-e29b-41d4-a716-446655440001",
  "name": "My Integration App",
  "description": "Third-party integration for transaction processing",
  "scopes": [
    "read:transactions",
    "write:transactions"
  ],
  "grantTypes": [
    "client_credentials"
  ],
  "redirectUris": [
    "https://example.com/callback"
  ]
}'
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    "platformId": "550e8400-e29b-41d4-a716-446655440000",
    "workspaceId": "550e8400-e29b-41d4-a716-446655440001",
    "name": "My Integration App",
    "description": "Third-party integration for transaction processing",
    "scopes": [
      "read:transactions",
      "write:transactions"
    ],
    "grantTypes": [
      "client_credentials"
    ],
    "redirectUris": [
      "https://example.com/callback"
    ]
  }),
});
const result = await response.json();

Get OAuth client details

GET/api/v1/oauth/clients/{clientId}Bearer token

Path parameters

  • clientIdstringrequired

Responses

200OAuth client details
  • clientIdstringrequired

    Client ID

  • namestringrequired

    Client name

  • descriptionstring

    Client description

  • scopesarray of stringrequired

    Scopes granted to this client

    array of string
    string
  • isActivebooleanrequired

    Whether the client is active

  • createdAtstring (date-time)required

    When the client was created

  • lastUsedAtstring (date-time)

    When the client was last used

{
  "clientId": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
  "name": "My Integration App",
  "description": "Third-party integration for transaction processing",
  "scopes": [
    "read:transactions",
    "write:transactions"
  ],
  "isActive": true,
  "createdAt": "2026-02-24T12:00:00Z",
  "lastUsedAt": "2026-02-24T14:30:00Z"
}
404Client not found

Response follows the unified success / data / meta / error envelope.

curl https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId> \
  -H "Authorization: Bearer $ACCESS_TOKEN"
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>', {
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
  },
});
const result = await response.json();

Delete OAuth client

DELETE/api/v1/oauth/clients/{clientId}Bearer token

Permanently delete an OAuth client and all its tokens

Path parameters

  • clientIdstringrequired

Responses

204OAuth client deleted successfully

Response follows the unified success / data / meta / error envelope.

404Client not found

Response follows the unified success / data / meta / error envelope.

curl -X DELETE https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId> \
  -H "Authorization: Bearer $ACCESS_TOKEN"
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>', {
  method: 'DELETE',
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
  },
});
const result = await response.json();

Update OAuth client

PATCH/api/v1/oauth/clients/{clientId}Bearer token

Update OAuth client settings. Deactivating a client will revoke all its tokens.

Path parameters

  • clientIdstringrequired

Request body

  • namestring

    Name of the OAuth client

  • descriptionstring

    Description of the OAuth client

  • scopesarray of string

    Updated list of scopes

    array of string
    string
  • isActiveboolean

    Whether the client is active

Responses

200OAuth client updated successfully
  • clientIdstringrequired

    Client ID

  • namestringrequired

    Client name

  • descriptionstring

    Client description

  • scopesarray of stringrequired

    Scopes granted to this client

    array of string
    string
  • isActivebooleanrequired

    Whether the client is active

  • createdAtstring (date-time)required

    When the client was created

  • lastUsedAtstring (date-time)

    When the client was last used

{
  "clientId": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
  "name": "My Integration App",
  "description": "Third-party integration for transaction processing",
  "scopes": [
    "read:transactions",
    "write:transactions"
  ],
  "isActive": true,
  "createdAt": "2026-02-24T12:00:00Z",
  "lastUsedAt": "2026-02-24T14:30:00Z"
}
404Client not found

Response follows the unified success / data / meta / error envelope.

curl -X PATCH https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId> \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Updated Integration App",
  "description": "Updated description",
  "scopes": [
    "read:transactions",
    "write:transactions",
    "read:customers"
  ],
  "isActive": true
}'
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>', {
  method: 'PATCH',
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    "name": "Updated Integration App",
    "description": "Updated description",
    "scopes": [
      "read:transactions",
      "write:transactions",
      "read:customers"
    ],
    "isActive": true
  }),
});
const result = await response.json();

Revoke all client tokens

POST/api/v1/oauth/clients/{clientId}/revoke-all-tokensBearer token

Revoke all active access tokens for a client

Path parameters

  • clientIdstringrequired

Responses

200All tokens revoked

Response follows the unified success / data / meta / error envelope.

404Client not found

Response follows the unified success / data / meta / error envelope.

curl -X POST https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>/revoke-all-tokens \
  -H "Authorization: Bearer $ACCESS_TOKEN"
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>/revoke-all-tokens', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
  },
});
const result = await response.json();

Get client token statistics

GET/api/v1/oauth/clients/{clientId}/statsBearer token

Get token usage statistics for a client

Path parameters

  • clientIdstringrequired

Responses

200Token statistics

Response follows the unified success / data / meta / error envelope.

404Client not found

Response follows the unified success / data / meta / error envelope.

curl https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>/stats \
  -H "Authorization: Bearer $ACCESS_TOKEN"
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/clients/<clientId>/stats', {
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
  },
});
const result = await response.json();

Revoke access token

POST/api/v1/oauth/revokeBearer token

Revoke an active access token by its JWT ID (jti)

Request body

  • token_jtistringrequired

    JWT ID (jti) of the token to revoke

Responses

200Token revoked successfully

Response follows the unified success / data / meta / error envelope.

404Token not found

Response follows the unified success / data / meta / error envelope.

curl -X POST https://api-staging.coinbax.com/api/v1/oauth/revoke \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
  "token_jti": "550e8400-e29b-41d4-a716-446655440000"
}'
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/revoke', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.ACCESS_TOKEN}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    "token_jti": "550e8400-e29b-41d4-a716-446655440000"
  }),
});
const result = await response.json();

List available OAuth scopes

GET/api/v1/oauth/scopesPublic

Get the catalog of available OAuth scopes that can be assigned to clients

Responses

200List of available scopes
array of OAuthScope
object
[
  {}
]
curl https://api-staging.coinbax.com/api/v1/oauth/scopes
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/scopes', {
});
const result = await response.json();

OAuth 2.0 Token Endpoint

POST/api/v1/oauth/tokenPublic

Generate access token using Client Credentials flow (RFC 6749)

Request body

  • grant_typeenumrequired"client_credentials"

    OAuth 2.0 grant type

  • client_idstringrequired

    OAuth client ID

  • client_secretstringrequired

    OAuth client secret

  • scopestring

    Space-separated list of requested scopes (optional, defaults to all client scopes)

Responses

200Access token generated successfully
  • access_tokenstringrequired

    JWT access token

  • token_typestringrequired

    Token type (always Bearer)

  • expires_innumberrequired

    Token expiration time in seconds

  • scopestringrequired

    Space-separated list of granted scopes

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "read:transactions write:transactions"
}
400Invalid request or unsupported grant type

Response follows the unified success / data / meta / error envelope.

401Invalid client credentials

Response follows the unified success / data / meta / error envelope.

curl -X POST https://api-staging.coinbax.com/api/v1/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
  "grant_type": "client_credentials",
  "client_id": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
  "client_secret": "coinbax_secret_x1y2z3a4b5c6d7e8f9g0h1i2j3k4l5m6n7o8p9q0",
  "scope": "read:transactions write:transactions"
}'
const response = await fetch('https://api-staging.coinbax.com/api/v1/oauth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    "grant_type": "client_credentials",
    "client_id": "coinbax_client_a1b2c3d4e5f6g7h8i9j0",
    "client_secret": "coinbax_secret_x1y2z3a4b5c6d7e8f9g0h1i2j3k4l5m6n7o8p9q0",
    "scope": "read:transactions write:transactions"
  }),
});
const result = await response.json();