PEM private key is re-parsed from scratch on every REST request

[chris-ashford]

Summary

jwt_generator.build_jwt() calls serialization.load_pem_private_key() on every single REST request, re-deriving the private key object from the raw PEM bytes each time. Since the private key never changes for the lifetime of a RESTClient, this work is entirely redundant and adds unnecessary latency to every API call.

Details

The current flow for every authenticated REST request is:

1. RESTBase.set_headers() calls jwt_generator.build_rest_jwt(uri, self.api_key, self.api_secret)
2. build_rest_jwt() calls build_jwt(key_var, secret_var, uri=uri)
3. build_jwt() re-parses the PEM key on every invocation:

# jwt_generator.py, lines 15-18
private_key_bytes = secret_var.encode("utf-8")
private_key = serialization.load_pem_private_key(
    private_key_bytes, password=None
)

load_pem_private_key() performs ASN.1/DER parsing and key deserialization, which is non-trivial overhead — especially when combined with the subsequent ES256 (ECDSA) signing operation. In latency-sensitive use cases (e.g. trading), this adds up.

Suggested fix

Parse the private key once (e.g. in RESTBase.__init__() or lazily on first use) and pass the pre-parsed key object into build_jwt(). For example:

# In RESTBase.__init__():
if self.is_authenticated:
    private_key_bytes = self.api_secret.encode("utf-8")
    self._private_key = serialization.load_pem_private_key(
        private_key_bytes, password=None
    )

Then update build_jwt() to accept an already-parsed key object instead of the raw secret string.

Environment

• SDK version: coinbase-advanced-py (latest)
• Python: 3.x
• Dependencies: cryptography >= 42.0.4, PyJWT >= 2.8.0

[github-actions]

Thank you for reporting! If this is an SDK specific issue, we will look into it and get back to you soon. If this is an API related request, report it in our Advanced API Discord instead (use this invite link if it's your first time accessing the Discord).