Skip to main content

OAuth2 Gateway

Version: 1.0.0

Kraken Connect is your gateway to seamlessly link external apps like tax tools, trading bots, and portfolio trackers with your Kraken account. Powered by OAuth 2.0, it delivers a secure, hassle-free authorization flow for users and developers alike.

Fast API Keys

No more copying API keys and secrets! Fast API lets users log in to Kraken and instantly authorize trusted third-party apps to connect, making onboarding smoother than ever.

Client Types

  • Public Client: Runs entirely on users' devices without a backend server. Client secrets cannot be securely stored, as they are at risk of exposure. RSA key generation is not required.

  • Confidential Client: Operates on a server with a secure backend. Client secrets are stored safely on the server. RSA keys must be generated, and the client secret must be decrypted.

Quick Integration Guide

Get Your Client Credentials

Ready to integrate? Just fill out this form with:

  • Company Name
  • Short Company Description
  • Company website
  • Logo (PNG, 56x56)
  • Required Permission Scopes
  • Redirect URIs

For confidential clients, please include:

  • RSA Public Key (2048+ bits, PEM format)
    • One for test, one for production is ideal!

Creating a Confidential Client

When creating a Confidential Client, Kraken will issue you an OAuth Client ID and an encrypted Client Secret.

To prepare, you first need to generate an RSA key pair:

openssl genrsa -aes128 -out private.pem 4096
openssl rsa -in private.pem -pubout > public.pem

This will create:

  • private.pem: Your private RSA key, encrypted with AES-128.

  • public.pem: Your public RSA key.

You must provide Kraken with your public RSA key so that we can encrypt your Client Secret.

Once your OAuth client has been provisioned, you will receive a base64-encoded, RSA-encrypted Client Secret.

To use it, you must decode and decrypt it with your private key:

echo -n "<encrypted client secret>" | base64 -d | openssl rsautl -decrypt -inkey private.pem

This command does the following:

  1. Base64-decodes the encrypted secret.

  2. Decrypts it using your RSA private key.

The decrypted value is your usable Client Secret, which you'll pass as credentials when exchanging for an access token.

Authorization Code Flow

  1. Direct the user to the authorization endpoint with:
    • response_type=code
    • client_id
    • redirect_uri
    • scope (optional)
    • state (optional)
  2. User signs in, approves access, and is redirected back to your redirect_uri with an authorization code.
  3. Exchange this code for an access token at the token endpoint using a Basic Auth header with your OAuth client ID and client secret, plus:
    • grant_type=authorization_code
    • code
    • redirect_uri

Refreshing Tokens

When your access token expires:

  1. Call the token endpoint with:
    • grant_type=refresh_token
    • refresh_token
  2. Receive a new access/refresh token pair.

When a new access token is issued, the old one is immediately invalid.

Basic Auth

When exchanging for the access token, you will send an Authorization header in the format Basic <credentials>

Where <credentials> is the base64-encoding of <client ID>:<client secret>.

For public clients, <client secret> is empty. As such, credentials would be equivalent to <client ID>:.

For confidential clients, <client secret> is the client secret that has been base64 decrypted by your RSA private key.

Token Lifetimes

TokenValidity
Access token
  • 24h (private clients)
  • 4h (public clients)
Refresh token
  • 30 days

Permission Scopes

Permission ScopeDescription
account.fast-api-key:funds-querySee your account balance
account.fast-api-key:funds-addDeposit funds to your account
account.fast-api-key:funds-withdrawWithdraw funds from your account
account.fast-api-key:funds-earnTransfer funds to earn rewards
account.fast-api-key:trades-query-openView open orders & trades
account.fast-api-key:trades-query-closedView closed orders & trades
account.fast-api-key:trades-modifyCreate and modify orders
account.fast-api-key:trades-closeCancel and modify orders
account.fast-api-key:ledger-queryView your ledger history
account.fast-api-key:export-dataExport your ledger history
account.fast-api-key:writeAuthorize the 3rd party app to create or remove a fast API key
account.info:basicSee your account information