Uber Developers

Client Access Token Authorization

¶ Overview

Uber APIs support the OAuth 2.0 authentication and authorization mechanisms to gain access to respective APIs.

¶ Client Access Token authentication

The Uber API uses OAuth 2.0 to allow developers to get a client access token to access users data. OAuth 2.0 is a specification outlined in RFC 6749 that allows third-party services to make requests on behalf of a user without accessing passwords and other sensitive information. If you are unfamiliar with OAuth 2.0, check out Aaron Parecki’s “OAuth 2 Simplified” guide.

We strongly recommend that you use a pre-built library to perform the authorization grant and token generation for OAuth 2.0. If you go this route, all you will need are the endpoints below and to specify your redirect URL in the application dashboard.

It’s important to note that the Client Credentials grant type is rate limited to 100 Requests per hour, any request above that limit will return 429 Too Many Requests

OAuth 2.0 endpoints

Authorization Host	`https://auth.uber.com`
Token Endpoint	`https://auth.uber.com/oauth/v2/token`

¶ Setup

To initially set your application up, follow these two guides which will show how can you configure your application and test accordingly.

¶ Step 1: Get Token using Client Credentials

After initially setting your application up, you are going to be able to retrieve your Access Token using your client_id and your client_secret generated in the developer.uber.com Dashboard.

Example Request:

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=client_credentials' \
     -F 'scope=<space_delimited_scopes>'
     https://auth.uber.com/oauth/v2/token

Example Response:

{
    "access_token": "xxxx",
    "expires_in": 2592000,
    "token_type": "Bearer",
    "refresh_token": "xxxx",
    "scope": "<space_delimited_scopes>"
}

The access_token is valid for the time described by expires_in (in seconds). The refresh_token expires after one year and can be used to obtain a new access_token at any time given that your application is still authorized to access the API on behalf of this user.

¶ Step 2: Use bearer token

Pass the access_token returned in the previous step as a bearer token in the Authorization header.

curl -X POST \
    -H 'Authorization: Bearer <access_token>' \
    -d '{"id":"<your_client_id>"}' \
    'https://api.uber.com/v1/mirror/external/echo'

¶ Refresh Token

When the access_token has expired or before it, you can obtain a new access_token by exchanging the refresh_token associated with the access_token. Note: The Client ID must match the Client ID from the Client Credentials Token flow.

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=refresh_token' \
     -F 'refresh_token=REFRESH_TOKEN' \
     https://auth.uber.com/oauth/v2/token

A refresh_token is valid for one year and tokens that have been inactive for more than one year will be invalidated. The client ID must match the client ID from the authorization code flow.

¶ Revoke Token

To revoke your pre-generated access or refresh token for client credentials grant type, you must use the following route, using the same client_id and client_secret used in the past requests. Use the following cURL to revoke your tokens:

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'token=<TOKEN>' \
     https://auth.uber.com/oauth/revoke

¶ Debugging & authentication errors

Expect access token lengths to change over time as Uber makes changes to what is stored in them and how they are encoded. To account for this, please use a variable length data type without a specific maximum size to store access tokens and refresh tokens.

Error	Description
`invalid_request`	Required parameters were not provided.
`invalid_client`	The client ID or secret provided is invalid.
`invalid_grant`	Valid grant types are `authorization_code` and `refresh_token`
`invalid_scope`	The `scope` parameter provided is not a valid subset of scopes.
`too_many_requests`	The user has called the Token endpoint with the client_credentials grant type more than 100 times in an hour
`server_error`	The server returned an unknown error.
`temporarily_unavailable`	The endpoint is temporarily unable to respond.