OAuth2 Gateway
Kraken Connect is your gateway to seamlessly link external apps like tax tools, trading bots, and portfolio trackers with your Kraken account. Powered by OAuth 2.0, it delivers a secure, hassle-free authorization flow for users and developers alike. ![]() | ![]() |
Fast API Keys
No more copying API keys and secrets! Fast API lets users log in to Kraken and instantly authorize trusted third-party apps to connect, making onboarding smoother than ever.
Client Types
-
Public Client: Runs entirely on users' devices without a backend server. Client secrets cannot be securely stored, as they are at risk of exposure. RSA key generation is not required.
-
Confidential Client: Operates on a server with a secure backend. Client secrets are stored safely on the server. RSA keys must be generated, and the client secret must be decrypted.
Quick Integration Guide
Get Your Client Credentials
Ready to integrate? Just fill out this form with:
- Company Name
- Short Company Description
- Company website
- Logo (PNG, 56x56)
- Required Permission Scopes
- Redirect URIs
For confidential clients, please include:
- RSA Public Key (2048+ bits, PEM format)
- One for test, one for production is ideal!
Creating a Confidential Client
When creating a Confidential Client, Kraken will issue you an OAuth Client ID and an encrypted Client Secret.
To prepare, you first need to generate an RSA key pair:
openssl genrsa -aes128 -out private.pem 4096
openssl rsa -in private.pem -pubout > public.pem
This will create:
-
private.pem: Your private RSA key, encrypted with AES-128.
-
public.pem: Your public RSA key.
You must provide Kraken with your public RSA key so that we can encrypt your Client Secret.
Once your OAuth client has been provisioned, you will receive a base64-encoded, RSA-encrypted Client Secret.
To use it, you must decode and decrypt it with your private key:
echo -n "<encrypted client secret>" | base64 -d | openssl rsautl -decrypt -inkey private.pem
This command does the following:
-
Base64-decodes the encrypted secret.
-
Decrypts it using your RSA private key.
The decrypted value is your usable Client Secret, which you'll pass as credentials when exchanging for an access token.
Authorization Code Flow
Authorization URL: https://id.kraken.com/oauth/authorize
Token URL: https://api.kraken.com/oauth/token
Refreshing TokensWhen your access token expires:
|
When a new access token is issued, the old one is immediately invalid.
Basic Auth
When exchanging for the access token, you will send an Authorization header in the format Basic <credentials>
Where <credentials>
is the base64-encoding of <client ID>:<client secret>
.
For public clients, <client secret>
is empty. As such, credentials would be equivalent to <client ID>:
.
For confidential clients, <client secret>
is the client secret that has been base64 decrypted by your RSA private key.
Token Lifetimes
Token | Validity |
---|---|
Access token |
|
Refresh token |
|
Permission Scopes
Permission Scope | Description |
---|---|
account.fast-api-key:funds-query | See your account balance |
account.fast-api-key:funds-add | Deposit funds to your account |
account.fast-api-key:funds-withdraw | Withdraw funds from your account |
account.fast-api-key:funds-earn | Transfer funds to earn rewards |
account.fast-api-key:trades-query-open | View open orders & trades |
account.fast-api-key:trades-query-closed | View closed orders & trades |
account.fast-api-key:trades-modify | Create and modify orders |
account.fast-api-key:trades-close | Cancel and modify orders |
account.fast-api-key:ledger-query | View your ledger history |
account.fast-api-key:export-data | Export your ledger history |
account.fast-api-key:write | Authorize the 3rd party app to create or remove a fast API key |
account.info:basic | See your account information |