Back to Gateway Index
Coinbase Commerce logo
Payment Gateway

Coinbase Commerce

Flat 1% crypto payment gateway — sunset March 31, 2026 and folded into Coinbase Business (US & Singapore only)

Builder Verdict

As of April 2026, only pick Coinbase Commerce if you are a US- or Singapore-based merchant who can migrate to Coinbase Business; everyone else has been cut off and should use BitPay, NOWPayments, MoonPay, or Request Network instead.

Complexity

◆ Simple

Region

US & Singapore only

Fees

Flat 1%

Coinbase Commerce was a non-custodial crypto payment gateway launched in 2018 that let merchants accept Bitcoin, Ethereum, USDC, and other assets for a flat 1% fee with no chargebacks. On March 31, 2026 Coinbase permanently shut down the standalone Commerce portal and folded its merchant tooling into Coinbase Business — a custodial successor that adds fiat off-ramps, accounting integrations, and USDC payout rails but is only available in the United States and Singapore as of April 2026. Merchants outside those two markets lost access on the shutdown date with no in-region migration path.

Last full audit: April 24, 2026

01

Trust Score Breakdown

Account Stability

35/100

Coinbase shut down the standalone Commerce portal on March 31, 2026 with only a few months of public notice. Merchants outside the US and Singapore were given no in-region migration path — they had to find a new processor or lose funds entirely. Even for supported regions, the abrupt sunset of a product trusted by thousands of merchants is the worst possible signal for account stability.

Developer Experience

64/100

The REST Charges API and webhook model (SHA256 HMAC via X-CC-Webhook-Signature) are straightforward, and official SDKs exist for Node, PHP, Python, and .NET. The newer Onchain Payment Protocol released in 2024 opened up hundreds of assets and auto-USDC settlement via DEX swaps. However, native Bitcoin support was deprecated in 2024, breaking long-standing integrations, and the 2026 migration to Coinbase Business requires code changes for auth, wallets, and settlement flows — devs building today face a moving target.

Payout Reliability

62/100

Onchain settlement on Base finalizes in ~200ms with transaction fees around a penny, and merchants who hold USDC receive funds directly into their own wallet with no intermediary. Historically, non-custodial architecture meant Coinbase could not hold or delay funds. However, the shift to Coinbase Business introduces custodial wallets with fiat off-ramps, and 2025-2026 community reports cite increasing difficulty withdrawing fiat — enough that some merchants advise withdrawing immediately after each payment.

Support Quality

32/100

Merchant reviews on Trustpilot, Capterra, and community forums consistently describe Coinbase Commerce support as slow, generic, or non-existent — users report canned responses, no real-time channels, and difficulty reaching human agents for urgent migration or withdrawal issues. The shutdown has compounded this: support ticket volume spiked in Q1 2026 while most merchants needed urgent help moving funds and integrations.

Track Record

50/100

Coinbase (parent) is a publicly traded US exchange founded in 2012 with a strong overall track record and SOC 2 reports across Custody, Prime, and Staking. Commerce launched in 2018 and handled meaningful merchant volume for 8 years. That long runtime is counterbalanced by the May 2025 data breach disclosure and the unusual decision to sunset the entire merchant product in 2026 — rare for a company with Coinbase's resources.

Transparency

58/100

The 1% fee is genuinely flat and clearly published — no international surcharges, no refund-fee gotchas, no tier fine print. That part is the strongest transparency story of any gateway in this directory. Offsetting this: communication around the March 2026 shutdown was rushed, the Coinbase Business rollout schedule for non-US/SG regions is undisclosed, and the migration form that asked merchants to paste 12-word seed phrases into a web page drew sharp criticism from security researchers.

02

Availability Matrix

Region Countries Currencies Payout Timing
Coinbase Business (post-migration) United States, Singapore USDC (primary settlement), USD, SGD fiat off-ramp. Accept hundreds of cryptocurrencies via the Onchain Payment Protocol with auto-conversion to USDC. Onchain settlement in ~200ms on Base; fiat off-ramp to linked US/SG bank typically 1-3 business days.
Everywhere else (service ended) All markets outside the US and Singapore — merchants in Europe, UK, Canada, LATAM, MENA, Africa, and most of APAC lost access when the standalone Commerce portal shut down on March 31, 2026. Coinbase Business expansion is publicly promised throughout 2026 but no country-by-country dates have been disclosed. N/A N/A — merchants must migrate to an alternative provider (BitPay, NOWPayments, MoonPay, Request Network, Aurpay, etc.)
03

Feature Snapshot

Hosted Checkout (Charges API)

Redirect buyers to a Coinbase-hosted checkout page where they select their preferred cryptocurrency. Create a charge via POST /charges with name, description, pricing_type, and local_price, then redirect to the returned hosted_url. No PCI scope for the merchant.

Onchain Payment Protocol

Released 2024 open-source protocol (github.com/coinbase/commerce-onchain-payment-protocol) that accepts hundreds of cryptocurrencies across Base, Ethereum, and Polygon. Payer's currency is swapped to USDC onchain via DEX; merchant receives USDC minus the 1% fee. ~200ms finality on Base.

USDC Stablecoin Settlement

Automatic onchain conversion to USDC shields merchants from crypto price volatility between checkout and settlement. Coinbase Business adds a fiat off-ramp that converts USDC to USD/SGD.

Webhooks

Real-time events for charge:created, charge:confirmed, charge:failed, charge:delayed, charge:pending, charge:resolved. Signed with SHA256 HMAC using the merchant's webhook shared secret and delivered in the X-CC-Webhook-Signature header. Verify against the raw request body.

No Chargebacks

Crypto payments are final once confirmed onchain — there is no card-network chargeback process. Eliminates friendly-fraud losses but also removes buyer reversal rights, which shifts the dispute burden fully onto the merchant's refund policy.

Payment Links / No-Code Checkout

Create shareable URLs and QR codes from the dashboard without writing code. Useful for invoicing, donations, and one-off sales. Integrates with Shopify, WooCommerce, Jumpseller, Primer.

Global USDC Payouts (Coinbase Business)

Send USDC to any onchain address or email address on Base with no gas fees for recipients. Enables cross-border disbursements, marketplace split payouts, and contractor payments. US/SG only in April 2026.

Accounting Integrations (Coinbase Business)

Coinbase Business ships with QuickBooks and Xero integrations for automatic transaction sync. Not available in the standalone Commerce product.

Native Bitcoin Support

Coinbase Commerce discontinued native Bitcoin (BTC on Bitcoin mainnet) payments in 2024 as part of the migration to the Onchain Payment Protocol. Merchants can still accept wrapped BTC (WBTC) and Bitcoin Cash, but not native BTC directly.

Subscriptions / Recurring Billing

No native recurring-billing primitive. Crypto wallets cannot pre-authorize debits the way cards can, so merchants must either use manual invoice reminders or build their own onchain subscription contracts.

Fiat Card Payments

Coinbase Commerce is a crypto-only processor. It does not accept Visa, Mastercard, Apple Pay, or any traditional fiat rails at checkout. Pair with a card processor like Stripe if you want both.

E-commerce Platform Integrations

Official or community integrations exist for Shopify, WooCommerce, Magento, Jumpseller, Primer. Plugin maintenance after the March 2026 shutdown is uncertain for non-US/SG merchants.

~

Non-Custodial Architecture (legacy)

Historically, Commerce was non-custodial — payments went directly to a merchant-controlled wallet and Coinbase could not freeze or claw back funds. Coinbase Business is custodial: funds sit with Coinbase until you withdraw, which enables fiat off-ramp but reintroduces the account-freeze risk that non-custodial crypto gateways were designed to avoid.

04

Pricing Breakdown

Transaction fee (all cryptocurrencies) 1% flat
Setup / monthly / cancellation fees None
Chargeback fee N/A — crypto payments are final onchain, no chargeback process exists
Onchain gas fees (payer-side) Paid by the buyer, not the merchant. Near-zero on Base (~$0.01), higher on Ethereum mainnet depending on congestion.
USDC conversion to USD/SGD (Coinbase Business only) Standard Coinbase exchange conversion fees apply when off-ramping to fiat (typically 0.5-1.5% depending on volume). Not charged if merchant holds USDC.
Effective all-in cost (crypto-held) ~1% — merchant receives USDC or native asset directly
Effective all-in cost (converted to fiat via Coinbase Business) ~1.5-2.5% depending on fiat conversion volume tier
05

Security & Compliance

PCI DSS N/A — Coinbase Commerce does not process card data. Buyer cryptocurrency transactions happen onchain, so PCI scope does not apply to merchants using Commerce alone.
SOC 2 Parent company Coinbase maintains SOC 2 Type 2 reports across Custody, Prime, and Staking. A separate SOC 2 attestation specific to the Commerce / Coinbase Business merchant product is not publicly listed.
Custody Model Standalone Commerce (pre-2026): non-custodial — private keys never touched Coinbase servers; payments went directly to merchant wallets. Coinbase Business (post-migration): custodial — funds sit in Coinbase-controlled wallets until the merchant withdraws, enabling fiat off-ramp but reintroducing freeze/ban risk.
Webhook Signature Verification All webhook events signed with SHA256 HMAC of the raw request payload, using the merchant's webhook shared secret. Signature delivered in the X-CC-Webhook-Signature header. Constant-time comparison recommended.
API Authentication X-CC-Api-Key header with a rotatable API key per merchant. Keys can be revoked from the dashboard at any time.
Onchain Finality & Dispute Resolution Payments are cryptographically final once confirmed onchain — no reversals, no chargebacks. Buyer-side disputes fall entirely on the merchant's refund policy and off-chain resolution.
May 2025 Coinbase Data Breach Coinbase disclosed a data breach in May 2025 affecting customer PII (names, addresses, partial account info) via a bribed overseas support contractor. Wallets and funds were not compromised. Impacted exchange customers, not Commerce merchants directly — but it is part of the parent company's recent track record.
06

Integration Prompt

Copy & use this 6691-char integration prompt

Production-ready prompt for Claude / GPT / Cursor — handles setup, security, webhooks & gotchas

 
You are integrating Coinbase Commerce (via the Onchain Payment Protocol / Coinbase Business API) as a crypto payment gateway into a [Django / Next.js / etc.] application.

## IMPORTANT CONTEXT BEFORE YOU START
Coinbase shut down the standalone Commerce portal on March 31, 2026 and migrated merchant tooling into Coinbase Business. As of April 2026, Coinbase Business is only available to merchants in the **United States and Singapore**. If your merchant is outside these two countries, stop here — use BitPay, NOWPayments, MoonPay, or Request Network instead. Do not build new Coinbase Commerce integrations for unsupported regions.

## Setup (US / SG merchants)
1. Sign up at https://www.coinbase.com/commerce and verify your business identity.
2. Generate an API key from Settings → API Keys.
3. Generate a webhook shared secret from Settings → Webhooks → Show shared secret.
4. Store both in environment variables — NEVER hardcode them:
   - `COINBASE_COMMERCE_API_KEY`
   - `COINBASE_COMMERCE_WEBHOOK_SECRET`
5. Base URL: `https://api.commerce.coinbase.com`
6. Set your settlement currency to **USDC** in the dashboard to avoid price volatility between checkout and settlement.

## Authentication
All API requests authenticate with two headers:

```python
headers = {
    "X-CC-Api-Key": settings.COINBASE_COMMERCE_API_KEY,
    "X-CC-Version": "2018-03-22",
    "Content-Type": "application/json",
}
```

## Recommended Integration: Hosted Checkout via Charges API
The simplest, lowest-risk integration is to create a charge server-side and redirect the buyer to Coinbase's hosted checkout page.

### Server-side (Create Charge):
```python
import requests

def create_charge(amount_usd, order_id, product_name):
    response = requests.post(
        "https://api.commerce.coinbase.com/charges",
        headers={
            "X-CC-Api-Key": settings.COINBASE_COMMERCE_API_KEY,
            "X-CC-Version": "2018-03-22",
            "Content-Type": "application/json",
        },
        json={
            "name": product_name,
            "description": f"Order {order_id}",
            "pricing_type": "fixed_price",
            "local_price": {
                "amount": f"{amount_usd:.2f}",
                "currency": "USD",
            },
            "metadata": {
                "order_id": str(order_id),
                "customer_email": "[email protected]",
            },
            "redirect_url": "https://yoursite.com/payment-success/",
            "cancel_url": "https://yoursite.com/payment-cancelled/",
        },
    )
    response.raise_for_status()
    charge = response.json()["data"]
    # charge["hosted_url"] — redirect the buyer here
    # charge["id"] — store this to reconcile with webhooks
    return charge
```

## Webhook Handling (Critical)
Never trust the client-side redirect alone — always confirm payment via webhooks, which are signed.

1. Register your webhook endpoint in the dashboard under Settings → Webhooks.
2. Subscribe to the events you need: `charge:created`, `charge:confirmed`, `charge:failed`, `charge:delayed`, `charge:pending`, `charge:resolved`.
3. **Always verify the signature before trusting the payload.** Use the RAW request body, not a parsed/re-serialized version:

```python
import hmac
import hashlib
from django.http import HttpResponse, HttpResponseBadRequest
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def coinbase_webhook(request):
    raw_body = request.body  # bytes, do NOT decode/re-encode
    signature = request.META.get("HTTP_X_CC_WEBHOOK_SIGNATURE", "")

    expected = hmac.new(
        settings.COINBASE_COMMERCE_WEBHOOK_SECRET.encode(),
        raw_body,
        hashlib.sha256,
    ).hexdigest()

    if not hmac.compare_digest(expected, signature):
        return HttpResponseBadRequest("Invalid signature")

    event = json.loads(raw_body)
    event_type = event["event"]["type"]
    charge = event["event"]["data"]

    # Idempotency: check if we've already processed this event.id
    if Event.objects.filter(provider_event_id=event["event"]["id"]).exists():
        return HttpResponse(status=200)

    if event_type == "charge:confirmed":
        order_id = charge["metadata"].get("order_id")
        # Fulfill the order — be sure to verify amount and currency match
        fulfill_order(order_id, charge)
    elif event_type == "charge:failed":
        mark_order_failed(charge["metadata"].get("order_id"))

    Event.objects.create(provider_event_id=event["event"]["id"])
    return HttpResponse(status=200)
```

4. Return 200 quickly, then process asynchronously for slow work (emails, downstream APIs).
5. Coinbase retries failed webhook deliveries — make your handler idempotent by recording `event.id`.

## Security Best Practices
- Never expose your API key in client-side code. All charge creation happens server-side.
- Always verify the webhook signature against the raw body — do not parse JSON and re-serialize before comparison.
- Set USDC as your settlement currency to avoid volatility between payment and payout.
- Withdraw to a self-custody wallet regularly rather than parking funds in the Coinbase Business balance.
- Rotate API keys if a deployment log, CI secret, or environment file is ever exposed.
- **NEVER enter your seed phrase into a web form, even one that appears to be Coinbase.** Use the dashboard or desktop wallet flow for migrations.

## Testing
- Coinbase Commerce does not provide a dedicated sandbox with test networks; you typically test with small real payments on low-cost networks like Base.
- Use the webhook test feature in the dashboard (Settings → Webhooks → Test webhook) to validate your signature verification without a live payment.
- Verify your idempotency handling by replaying the same webhook event multiple times.

## Common Gotchas
- **Amounts are strings, not numbers.** `"amount": "20.00"` — always two decimal places for USD.
- **No native Bitcoin.** BTC on the Bitcoin mainnet is not supported since 2024. Wrapped BTC and Bitcoin Cash are.
- **No recurring billing primitive.** Build subscriptions with manual reminders, your own onchain contracts, or a separate recurring billing layer (e.g., Stripe for fiat + Commerce for crypto).
- **Crypto payments are final.** No chargebacks means no reversals — design your refund policy around manual, off-chain refunds.
- **Regional restrictions.** Do not integrate for merchants outside US/SG; they cannot currently use Coinbase Business.
- **Signature verification is case-sensitive on the header name.** Read `X-CC-Webhook-Signature` exactly.
- **Expiration.** Charges expire after 1 hour of no payment — handle `charge:failed` events with `timeout` reason gracefully.

Replace [Django / Next.js / etc.] with your stack. Follows PCI DSS best practices and handles common edge cases.

07

Common Pitfalls

8 items
1

Standalone Commerce shut down on March 31, 2026

Coinbase permanently sunset the standalone Commerce portal on March 31, 2026. After that date the Commerce dashboard became inaccessible, the withdrawal tool was disabled, and merchants who had not moved funds out risk permanent loss. Only US and Singapore merchants have an in-product migration path (to Coinbase Business) — everyone else was told to pick a different processor. If you are evaluating this gateway today, assume it is not viable outside the US and Singapore.

2

Coinbase Business is US + Singapore only as of April 2026

The successor product, Coinbase Business, was launched with support in only two countries: the United States and Singapore. Expansion to additional markets is promised throughout 2026 but no country-by-country dates are public. Merchants in the EU, UK, Canada, LATAM, MENA, Africa, and most of APAC have no supported path to use Coinbase's merchant tools. Mitigation: use BitPay, NOWPayments, MoonPay, Request Network, or Aurpay while waiting.

3

Seed-phrase migration form flagged by security researchers

During the 2026 migration, a Coinbase Commerce subdomain page was found asking merchants to paste their 12-word seed phrases directly into a web form in plain text. Security researchers warned this normalizes a pattern that scammers can mimic — and that legitimate wallet tooling should never ask for a seed phrase over the web. Mitigation: never enter your seed phrase on any web page, including ones that appear to be Coinbase's. Use the desktop wallet migration flow or move funds manually via a self-custody wallet.

4

Native Bitcoin support was removed in 2024

Coinbase Commerce discontinued native Bitcoin (BTC on the Bitcoin base chain) as part of the 2024 shift to the Onchain Payment Protocol. Merchants can still accept wrapped BTC and Bitcoin Cash, but buyers holding BTC on their hardware wallet or exchange can no longer pay directly — a significant loss for the largest crypto holder segment. Mitigation: if native BTC acceptance is important, use BitPay or OpenNode instead.

5

No buyer protection and no chargebacks

Once an onchain payment is confirmed it is final — there is no card-network reversal, no PayPal-style dispute window, and no platform-backed buyer protection. This is a feature for merchants (zero chargeback losses) but means buyers have no safety net for undelivered goods, scams, or mistaken payments. Mitigation: publish a clear refund policy and respond to email disputes promptly; hostile buyers have no other escalation channel and may turn to public reviews and chargebacks on the card they used to buy crypto.

6

Custody shift in Coinbase Business reintroduces freeze risk

Coinbase Business is custodial, unlike the original non-custodial Commerce. Funds now sit with Coinbase until the merchant withdraws. This enables fiat off-ramp and accounting integrations but also means Coinbase can theoretically freeze, delay, or claw back balances — the same risk profile that makes merchants wary of PayPal and Stripe. Community reports in 2025-2026 already cite slower fiat withdrawals. Mitigation: withdraw to a self-custody wallet frequently rather than parking funds in the Coinbase Business balance.

7

Support quality is consistently rated poor

Across Trustpilot, Capterra, and community threads, merchants describe Commerce support as slow, canned, or unavailable when urgent. There is no phone line; support runs through ticketing with multi-day response times. During the shutdown window, volume spiked while merchants had the most urgent need for help. Mitigation: document your integration thoroughly and keep runbooks for manual fallback; do not depend on support to resolve time-sensitive payment issues.

8

Crypto price volatility between checkout and settlement

If the merchant chooses to settle in a volatile asset (BTC, ETH) rather than USDC, the dollar value of each payment can swing between the moment the buyer pays and the moment the merchant converts. Mitigation: always set USDC as the settlement currency in your dashboard — the Onchain Payment Protocol will swap the buyer's chosen asset to USDC automatically, shielding the merchant from volatility.

08

Community Pulse

The 2026 community sentiment around Coinbase Commerce is dominated by the March 31 shutdown. On G2 and Capterra the legacy product still holds a respectable ~4.4/5 rating from merchants who used it during its active years, citing the flat 1% fee, no-chargeback finality, and straightforward API as genuine strengths. But recent threads are overwhelmingly about the sunset: merchants outside the US and Singapore report being cut off with no in-region replacement, the seed-phrase-in-a-web-form migration page drew loud criticism from security researchers, and support response times during the transition were widely described as poor. Developers on Stack Overflow and Reddit have been writing migration guides to BitPay, NOWPayments, and Request Network since early Q1 2026.

💬 Coinbase Commerce Shutdown: Merchant Migration Guide [2026] MoonPay Newsroom · 2026
💬 Coinbase Commerce seed phrase page alarms security community ahead of March 31 shutdown crypto.news · 2026
💬 Coinbase Commerce Is Shutting Down — Here's How to Migrate in 10 Minutes DEV Community · 2026
💬 Coinbase Commerce Reviews, Pros and Cons Software Advice · 2026
💬 Aurpay vs Coinbase Commerce: Why Shopify Merchants Are Looking for Alternatives Aurpay · 2026

Sentiment last updated: April 2026 · We summarize — never copy — community content. Links go to original threads.

09

Changelog

  1. logo

    Downloaded Coinbase 'C' icon mark from Wikimedia Commons (public domain, originally from coinbase.com/press); resized from 1839x1543 to 400x335 PNG with transparency. Average brightness 140.7 — dark enough for default cream card background, logo_bg left empty.

  2. availability

    Initial entry reflects the post-shutdown reality: Coinbase Business supports US and Singapore only; all other regions lost access when the standalone Commerce portal was sunset on 2026-03-31.

  3. pricing

    Verified flat 1% transaction fee still applies under Coinbase Business. No setup, monthly, or chargeback fees. Fiat off-ramp via Coinbase exchange adds 0.5-1.5% depending on conversion volume.

  4. features

    Captured Onchain Payment Protocol (hundreds of assets, DEX-swap to USDC), hosted checkout Charges API, SHA256-HMAC webhooks, global USDC payouts, and QuickBooks/Xero integrations. Flagged native Bitcoin as removed in 2024 and subscriptions/fiat-card as unsupported.

  5. security

    Recorded non-custodial legacy vs custodial Coinbase Business model; SHA256-HMAC webhook signing with X-CC-Webhook-Signature header; noted PCI DSS is N/A for crypto-only rails; added May 2025 Coinbase data breach context.

  6. pitfalls

    Documented eight pitfalls: March 31 2026 shutdown, US+SG-only Coinbase Business, seed-phrase migration form security issue, 2024 native Bitcoin deprecation, no chargebacks/buyer protection, custody shift in Coinbase Business, weak support, and crypto volatility when not settling in USDC.

  7. community

    Initial community pulse: historically positive (4.4/5 on G2/Capterra) on the flat fee and dev experience, but 2026 threads are dominated by the shutdown — migration anxiety, seed-phrase form criticism, and merchants scrambling to alternatives (BitPay, NOWPayments, Request Network, Aurpay).

  8. trust_score

    Initial trust score 48/100. Strongest: transparency (58) and developer_experience (64) thanks to flat pricing and clean API. Weakest: support_quality (32) and account_stability (35) due to the abrupt Q1 2026 sunset and regional cutoffs.

  9. all

    Initial gateway entry created with full audit. Given the March 31 2026 shutdown and US+SG-only Coinbase Business rollout, the entry prominently flags the sunset so readers evaluating the gateway today have accurate, actionable guidance.

Back to Gateway Index

LearnWithHasan.com · Payment Gateway Index · No affiliate links · Builder-first