Authorization Request

REST APIs Common OAuthAuthorization Request

Authorization Request

GEThttps://exchange.gemini.com/auth

The OAuth 2.0 authorization code grant flow involves the user being directed to an authorization server which returns an authorization code that may then be exchanged for access and refresh tokens. Access tokens are short-lived (24 hour expiration) and are used as authentication against Gemini APIs, while refresh tokens never expire and are used to regenerate access tokens. Users should first be redirected to Gemini to authorize access to your application. The user will be prompted to login using a Gemini OAuth window.

Public clients

Public clients (no

Code

client_secret

) must use PKCE: also send

Code

code_challenge

and

Code

code_challenge_method=S256

, and a non-empty

Code

state

. See Public Clients and PKCE.

GETauth

curl --request GET \
  --url 'https://exchange.gemini.com/auth?client_id=my_id&response_type=code&redirect_uri=www.example.com%2Fredirect&state=82350325&scope=balances%3Aread%2Corders%3Acreate'

URL Parameters

client_idstring·required

Unique ID of your application. This is provided in your API settings.

response_typestring·required

The literal string "code".Example: code

redirect_uristring·required

The URL users should be returned to after they authorize. This URL must be included in your list of approved redirect URIs in your app registration.

statestring·required

A random string that will be returned to you in the response. You should verify this matches the value you sent before trusting the response. Required (and must be non-empty) for public clients to protect against CSRF; strongly recommended for confidential clients.

scopestring·required

A comma-separated list of OAuth scopes corresponding to the access you are requesting. These scopes must be included in your list of scopes in your app registration.

code_challengestring

Required for public clients. The PKCE code challenge:

Code

BASE64URL-no-padding(SHA-256(code_verifier))

. Always 43 characters for the

Code

S256

method. See Public Clients and PKCE.

code_challenge_methodstring

Required for public clients. The literal string

Code

S256

Code

plain

is not accepted.Example: S256

Responses

Redirect to redirect_uri with authorization code and state

codestring

A temporary authorization code to be exchanged for access and refresh tokens.

statestring

The state value you provided in the request. Verify this matches before trusting the response.

PreviousOAuth NextGet Access Token

Last modified on June 17, 2026

URL Parameters

client_idstring·required

Unique ID of your application. This is provided in your API settings.

response_typestring·required

The literal string "code".Example: code

redirect_uristring·required

The URL users should be returned to after they authorize. This URL must be included in your list of approved redirect URIs in your app registration.

statestring·required

scopestring·required

A comma-separated list of OAuth scopes corresponding to the access you are requesting. These scopes must be included in your list of scopes in your app registration.

code_challengestring

Required for public clients. The PKCE code challenge:

Code

BASE64URL-no-padding(SHA-256(code_verifier))

. Always 43 characters for the

Code

S256

method. See Public Clients and PKCE.

code_challenge_methodstring

Required for public clients. The literal string

Code

S256

Code

plain

is not accepted.Example: S256

Responses

Redirect to redirect_uri with authorization code and state

codestring

A temporary authorization code to be exchanged for access and refresh tokens.

statestring

The state value you provided in the request. Verify this matches before trusting the response.