OAuth2 Gateway

Version: 1.0.0

Kraken Connect is your gateway to seamlessly link external apps like tax tools, trading bots, and portfolio trackers with your Kraken account. Powered by OAuth 2.0, it delivers a secure, hassle-free authorization flow for users and developers alike.

Fast API Keys

No more copying API keys and secrets! Fast API lets users log in to Kraken and instantly authorize trusted third-party apps to connect, making onboarding smoother than ever.

Client Types

Public Client: Runs entirely on users' devices without a backend server. Client secrets cannot be securely stored, as they are at risk of exposure. RSA key generation is not required.
Confidential Client: Operates on a server with a secure backend. Client secrets are stored safely on the server. RSA keys must be generated, and the client secret must be decrypted.

Quick Integration Guide

Get Your Client Credentials

Ready to integrate? Just fill out this form with:

Owner IIBAN (must be linked to a verified business account)
Company Name
Short Company Description
Company website
Logo (PNG, 56x56)
Required Permission Scopes
Redirect URIs

For confidential clients, please include:

RSA Public Key (2048+ bits, PEM format)
- One for test, one for production is ideal!

Creating a Confidential Client

When creating a Confidential Client, Kraken will issue you an OAuth Client ID and an encrypted Client Secret.

To prepare, you first need to generate an RSA key pair:

openssl genrsa -aes128 -out private.pem 4096
openssl rsa -in private.pem -pubout > public.pem

This will create:

private.pem: Your private RSA key, encrypted with AES-128.
public.pem: Your public RSA key.

You must provide Kraken with your public RSA key so that we can encrypt your Client Secret.

Once your OAuth client has been provisioned, you will receive a base64-encoded, RSA-encrypted Client Secret.

To use it, you must decode and decrypt it with your private key:

echo -n "<encrypted client secret>" | base64 -d | openssl rsautl -decrypt -inkey private.pem

This command does the following:

Base64-decodes the encrypted secret.
Decrypts it using your RSA private key.

The decrypted value is your usable Client Secret, which you'll pass as credentials when exchanging for an access token.

Authorization Code Flow

tip

Authorization URL: https://id.kraken.com/oauth/authorize

Token URL: https://api.kraken.com/oauth/token

Direct the user to the authorization endpoint with:
- response_type=code
- client_id
- redirect_uri
- scope (optional)
- state (optional)
User signs in, approves access, and is redirected back to your redirect_uri with an authorization code.
Exchange this code for an access token at the token endpoint using a Basic Auth header with your OAuth client ID and client secret, plus:
- grant_type=authorization_code
- code
- redirect_uri

Refreshing Tokens

When your access token expires:

Call the token endpoint with:
- grant_type=refresh_token
- refresh_token
Receive a new access/refresh token pair.

When a new access token is issued, the old one is immediately invalid.

Basic Auth

When exchanging for the access token, you will send an Authorization header in the format Basic <credentials>

Where <credentials> is the base64-encoding of <client ID>:<client secret>.

For public clients, <client secret> is empty. As such, credentials would be equivalent to <client ID>:.

For confidential clients, <client secret> is the client secret that has been base64 decrypted by your RSA private key.

Token Lifetimes

Token	Validity
Access token	24h (private clients) 4h (public clients)
Refresh token	30 days

Permission Scopes

Permission Scope	Category	Description
account.info:basic	Account Details	Email and public account identifier
account.info:name	Account Details	First name
account.info:location	Account Details	Country and sub division (e.g. state or province)
account.info:kraken-verified	Account Details	Kraken Verified status
account.fast-api-key:funds-query	Account Details	Account Balance
account.fast-api-key:write	Other	Authorize 3rd party app to create, update, and delete Fast API key for connecting user
account.fast-api-key:read	Other	Authorize 3rd party to list Fast API keys of connecting users
account.fast-api-key:funds-add	Funding	Deposit funds
account.fast-api-key:funds-withdraw	Funding	Withdraw funds
account.fast-api-key:funds-earn	Funding	Transfer funds to earn
account.fast-api-key:withdrawal-address-add	Funding	Add withdrawal address without email confirmation
account.fast-api-key:withdrawal-address-update	Funding	Update and remove withdrawal address without email confirmation
account.fast-api-key:trades-query-open	Trading	View open orders and trades
account.fast-api-key:trades-query-closed	Trading	View closed orders and trades
account.fast-api-key:trades-modify	Trading	Create and modify orders
account.fast-api-key:trades-close	Trading	Cancel and modify orders
account.fast-api-key:ledger-query	Ledger	View ledger history
account.fast-api-key:export-data	Ledger	Export data

Fast API Keys​

Client Types​

Quick Integration Guide​

Get Your Client Credentials​

Creating a Confidential Client​

Authorization Code Flow​

Refreshing Tokens​

Basic Auth​

Token Lifetimes​

Permission Scopes​