Uber Developers

OAuth Client Credentials Flow

¶ Overview

Uber APIs use OAuth 2.0. In the Client Credentials flow, your backend exchanges your client_id and client_secret for a scoped access token to call APIs without a user.

The Client Credentials token endpoint is rate limited to 100 requests per hour. Exceeding this limit returns 429 Too Many Requests.

Tip: Cache and reuse the access token until it expires (expires_in) to avoid unnecessary token requests. Refresh only when expired or on a 401 response.

OAuth 2.0 endpoints

Authorization Host	`https://auth.uber.com`
Token Endpoint	`https://auth.uber.com/oauth/v2/token`

¶ Setup

To initially set your application up, follow these two guides which will show how can you configure your application and test accordingly.

¶ Step 1: Get Token using Client Credentials

After setup, you can retrieve an access token using your client_id and client_secret.

Example Request:

curl -X POST https://auth.uber.com/oauth/v2/token \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -d 'grant_type=client_credentials' \
     -d 'client_id=<CLIENT_ID>' \
     -d 'client_secret=<CLIENT_SECRET>' \
     -d 'scope=<space_delimited_scopes>'

Example Response:

{
    "access_token": "xxxx",
    "expires_in": 2592000,
    "token_type": "Bearer",
    "scope": "<space_delimited_scopes>"
}

The access_token is valid for the time described by expires_in (in seconds).

¶ Step 2: Use bearer token

Pass the access_token returned in the previous step as a bearer token in the Authorization header for the subsequent API calls

curl -X POST \
    -H 'Authorization: Bearer <access_token>' \
    -d '{"id":"random_id_for_testing"}' \
    'https://api.uber.com/v1/mirror/external/echo'

¶ Revoke Token

For token revocation, see OAuth Token Revocation.

¶ Debugging & authentication errors

Expect access token lengths to change over time as Uber makes changes to what is stored in them and how they are encoded. To account for this, please use a variable length data type without a specific maximum size to store access tokens and refresh tokens.

Security note: Use the Client Credentials flow only from trusted server-side environments. Never expose client_secret in browsers or mobile apps. Rotate secrets periodically.

Error	Description
`invalid_request`	Required parameters were not provided.
`invalid_client`	The client ID or secret provided is invalid.
`invalid_grant`	Valid grant types are `authorization_code` and `refresh_token`
`invalid_scope`	The `scope` parameter provided is not a valid subset of scopes.
`too_many_requests`	The user has called the Token endpoint with the client_credentials grant type more than 100 times in an hour
`server_error`	The server returned an unknown error.
`temporarily_unavailable`	The endpoint is temporarily unable to respond.