Authentication

All requests to the Coba API must be authenticated using two credentials: an API Client Key and an Access Token.

These two keys work together to securely identify your application and authorize access to protected resources.

In this guide, we’ll show you how to include both in your requests and walk through best practices for keeping your credentials secure. OAuth2 is not required — Coba uses a streamlined token-based system designed for fast and safe integrations.

How It Works

To authenticate with the Coba API, you must include two headers in every request:

  • Authorization: This is where you pass your Access Token.
  • X-Coba-Metal-API-Key: This is where you include your API Client Key.

These two credentials work together to validate and authorize your request.
Both headers are required for all endpoints — missing either will result in a 401 Unauthorized error.

Example request

curl https://api.coba.ai/metal/fx\
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "X-Coba-Metal-API-Key: YOUR_API_CLIENT_KEY" \
  -H "Content-Type: application/json"

Please don't commit your Coba credentials to GitHub!

Always keep them safe and if you suspect they have been compromised, contact support immediately.

Was this page helpful?