Authentication
The Uber Ads API uses OAuth 2.0 authorization code flow to securely authenticate your application and authorize access to advertising data.
¶ How OAuth 2.0 works
OAuth 2.0 lets users grant your application access to their Uber Ads data without sharing their login credentials. The process involves:
- Authorization: Users authorize your app through Uber’s login system
- Token exchange: Your app exchanges the authorization code for access tokens
- API access: Use access tokens to make authenticated API requests
¶ Required scopes
When requesting authorization, specify the scopes your application needs:
| Scope | Access |
|---|---|
ads.campaigns.read |
Read access to campaign data |
ads.ad-accounts.read |
Read access to user’s ad accounts |
ads.products.read |
Read access to product endpoints |
ads.reporting |
Access to reporting endpoints |
Important: Adding more scopes to your application will require users to go through a reauthorization process. Ensure your integration can handle cases where reauthorization is needed, as users will need to approve the new scope permissions.
¶ Authorization flow
Step 1: Direct users to authorize your app
Send users to Uber’s authorization URL:
https://auth.uber.com/oauth/v2/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=ads.campaigns.read ads.ad-accounts.read ads.products.read ads.reporting&response_type=code
Parameters:
client_id- Your application’s client ID from the Developer Dashboardscope- Space-separated list of requested scopesredirect_uri- Where users are redirected after authorization
Step 2: Handle the authorization response
Once the Uber user authenticates and authorizes your app, Uber will issue an HTTP 302 redirect to the redirect_uri. On that redirect, you will have a single-use authorization code which will expire in 10 minutes. The code query parameter is the authorization code needed for the next step.
Step 3: Exchange code for tokens
Make a POST request to exchange the authorization code for access tokens:
curl -X POST https://login.uber.com/oauth/v2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=AUTHORIZATION_CODE" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "redirect_uri=YOUR_REDIRECT_URI"
Response:
{
"access_token": "ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 86400,
"refresh_token": "REFRESH_TOKEN",
"scope": "ads.campaigns.read ads.ad-accounts.read ads.products.read ads.reporting"
}
¶ Using access tokens
Include the access token in the Authorization header of all API requests:
curl -X GET "https://api.uber.com/v1/ads/account/{account_id}/campaigns" \
-H "Authorization: Bearer {ACCESS_TOKEN}" \
-H "Content-Type: application/json"
¶ Refreshing access tokens
Access tokens expire after a period of time. Use the refresh token to obtain a new access token without requiring the user to re-authorize your application.
Make a POST request with the refresh token:
curl -X POST https://auth.uber.com/oauth/v2/token \
-F "client_secret=YOUR_CLIENT_SECRET" \
-F "client_id=YOUR_CLIENT_ID" \
-F "grant_type=refresh_token" \
-F "redirect_uri=YOUR_REDIRECT_URI" \
-F "refresh_token=REFRESH_TOKEN"
Response:
{
"access_token": "NEW_ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 86400,
"refresh_token": "REFRESH_TOKEN",
"scope": "ads.campaigns.read ads.ad-accounts.read ads.products.read ads.reporting"
}
Important notes:
- Refresh tokens do not expire but can be revoked by the user or when new scopes are added to your application.
- Implement token refresh logic before the access token expires to ensure uninterrupted API access.