Bolt.new AI and Coinbase API integration: Step-by-Step Guide 2025

To integrate Bolt.new with the Coinbase API, you wire Bolt’s server-side code (the built‑in API route or a serverless function) to Coinbase’s REST endpoints using your Coinbase API key, secret, and passphrase. Bolt.new itself doesn’t “connect” automatically — you explicitly call Coinbase’s API from your backend code, load your credentials via environment variables, sign requests exactly as Coinbase requires (HMAC‑SHA256), and return responses to your frontend. The key idea: Bolt is just the workspace; the actual integration is you writing a secure, signed HTTPS request to Coinbase.

 

What Integration Actually Means (Straight Explanation)

 

You integrate Bolt.new with Coinbase by writing backend code inside Bolt (usually a /api/ route) that calls Coinbase’s API using your API credentials stored in environment variables. Coinbase requires a specific authentication format: a timestamp, method, request path, body, and an HMAC‑SHA256 signature using your API secret. Once you generate that signature in your Bolt server code, you can hit endpoints like /accounts, /prices, or /orders. Your frontend then calls your Bolt backend route instead of talking to Coinbase directly, keeping credentials safe.

 

Step-by-Step: How You Do This in Bolt

 

• Create API credentials in Coinbase. Go to Coinbase (Advanced Trade / API Settings), generate API Key, Secret, and Passphrase. Set appropriate permissions (read, trade, etc.).
• Add them to Bolt.new environment variables. In Bolt’s sidebar, define:
  • COINBASE_API_KEY
  • COINBASE_API_SECRET
  • COINBASE_API_PASSPHRASE
• Create a backend route in Bolt (e.g., /api/coinbase/accounts). This route signs and forwards requests to Coinbase.
• Call Coinbase’s REST API using signed headers. Coinbase uses: CB-ACCESS-KEY, CB-ACCESS-SIGN, CB-ACCESS-TIMESTAMP, CB-ACCESS-PASSPHRASE.
• Call your Bolt route from your frontend so the browser never touches Coinbase credentials.

 

Working Example: Bolt API Route That Fetches Coinbase Accounts

 

// File: app/api/coinbase/accounts/route.js
// This is a REAL, valid Coinbase authentication pattern.

import crypto from "crypto";

export async function GET() {
  const apiKey = process.env.COINBASE_API_KEY;
  const apiSecret = process.env.COINBASE_API_SECRET; // base64 string
  const passphrase = process.env.COINBASE_API_PASSPHRASE;

  const timestamp = Math.floor(Date.now() / 1000).toString();
  const method = "GET";
  const requestPath = "/api/v3/brokerage/accounts"; // Coinbase endpoint
  const body = ""; // GET has empty body

  // Coinbase requires HMAC-SHA256 using *decoded* secret
  const prehash = timestamp + method + requestPath + body;
  const key = Buffer.from(apiSecret, "base64");
  const signature = crypto
    .createHmac("sha256", key)
    .update(prehash)
    .digest("base64");

  const response = await fetch("https://api.coinbase.com" + requestPath, {
    method: "GET",
    headers: {
      "CB-ACCESS-KEY": apiKey,
      "CB-ACCESS-SIGN": signature,
      "CB-ACCESS-TIMESTAMP": timestamp,
      "CB-ACCESS-PASSPHRASE": passphrase,
      "Content-Type": "application/json"
    }
  });

  const data = await response.json();
  return new Response(JSON.stringify(data), { status: response.status });
}

 

Why This Works

 

The code above mirrors Coinbase’s real authentication scheme: your Bolt backend signs the request correctly, Coinbase verifies the signature, and returns your account data. Bolt acts as a secure relay. Your frontend never sees sensitive keys, which is required because Coinbase API secrets must never be exposed to the browser.

 

Frontend Example: Calling Your Bolt Endpoint

 

// Example inside a React component in Bolt

async function loadAccounts() {
  const res = await fetch("/api/coinbase/accounts");
  const data = await res.json();
  console.log(data); // Shows Coinbase accounts
}

 

Important Notes When Doing This for Real

 

• Always keep keys in environment variables, never in code.
• Coinbase secrets are base64‑encoded — you must decode them when creating the HMAC key.
• Don’t call Coinbase directly from the client — it exposes keys and won’t work.
• Use the correct endpoint base — Advanced Trade uses /api/v3/brokerage.
• Rate limits matter — reuse backend routes, cache where needed.

 

With this structure, Bolt.new functions like a compact full‑stack workspace: UI → your Bolt backend route → Coinbase API. This is the real, production‑valid architecture for integrating Bolt with Coinbase.