Three lines




After you’ve registered your developer account and application, you’ll be able to access the following parameters for your application on the Applications page to use for authorization.

  • client_id: The ID of your application, this should be treated as your application’s user name.
  • client_secret: The secret for your application, this should be treated like your application’s password. Never share this with anyone, check this into source code, or post in any public forum. Additionally, this should not be distributed on client devices where users could decompile your code and access the secret. If you suspect your client_secret has been compromised you may generate a new one in your application’s dashboard which will immediately invalidate the old secret.


Use the business.receipts scope for the Uber for Business Receipts API.

Client Credentials Flow

To access the Business API, instead of authenticating as a user, authenticate as your application using the client credentials grant type. This will create an OAuth 2.0 access token with the specified scopes. These tokens cannot be refreshed, but they can be created as many times as needed.

Note: Client credentials grant type requests will be rate limited to 100 requests per hour. After generating 100 tokens with the client credentials grant type, creating a new token will invalidate the oldest token.

To create a client credential token, use the POST /token endpoint as follows, using your app’s client ID and secret from the developer dashboard:

Note It is not possible to mix scopes that require the client credentials grant (app) and scopes that require the authorization grant (user). When requesting access to scopes that require the client credentials flow you must pass the required scopes and not rely on the default scopes behavior.

Note: This endpoint expects requests to be encoded as application/x-www-form-urlencoded or multipart/form-data. JSON encoding is not supported for the request body.

curl -X POST \
  -F 'client_id=<CLIENT_ID>' \
  -F 'client_secret=<CLIENT_SECRET>' \
  -F "grant_type=client_credentials" \
  -F "scope=business.receipts" \

The access_token is good for a limited period of time described by the expires_in field (in seconds):

Status-Code: 200 OK

    "access_token": "xxx",
    "token_type": "Bearer",
    "expires_in": 2592000,
    "scope": "business.receipts"

The access_token is good for a limited period of time described by the expires_in field (in seconds).

Error Responses

Here are common error responses and the possible reason for each response.

Status Code: 401 Unauthorized

  "error": "invalid_grant"
  1. You are using an invalid refresh_token. You can generate multiple access tokens, but you can only use the latest generated refresh_token.
  2. You supplied an invalid code when exchanging an authorization code for an access_token.

Status Code: 400 Bad Request

  "error": "unsupported_grant_type"

You supplied an invalid string for grant_type field. Only refresh_token, authorization_code and client_credentials are valid values.

Status Code: 401 Unauthorized

  "error": "invalid_client"

Either your client_id or client_secret is invalid.


© 2023 Uber Technologies Inc.