Scopes
Scopes grant permission to various API endpoints for your app. When requesting an access token to use on behalf of a user, your application will specify which scopes it needs and these will be shown to the user during the OAuth flow. It’s best to limit the scopes you need to the bare minimum so that users can feel confident with your app and the amount of data it can access.
¶ Available Authorization Code scopes
| Scope | Description |
|---|---|
| profile | Access the basic profile information on a user's Uber account including their name, email address, and profile picture. |
| profile.mobile_number | Does not grant endpoint access on its own. Additionally provides mobile number in profile when used in conjunction with profile scope |
| profile.internal_uuid | Allows a developer access to a user’s internal UUID after the user consents following an Authorization Code Grant. This UUID is a unique, internal identifier of the Uber rider. The user’s UUID is not encrypted/obfuscated and is the same between multiple applications. This should ideally only be used for 1P or 2P use cases. |
| openid | This scope is used as part of open id connect for authentication purposes. If the client is whitelisted for this scope they will be able to receive an ID Token which may contain user information. This can be used instead of or in addition to receiving an access token and calling /me API endpoint. More info on this scope is included in the Open ID Connect spec/RFC: https://openid.net/specs/openid-connect-core-1_0.html#RFC6749. |
| offline_access | Provides the ability to refresh tokens for offline use. |
| identity.link-account | Allows an application to link the user’s 3P partner account to their Uber account following an OAuth 2.0 consent flow. |
¶ Available Client Credentials Scopes
| Scope | Description |
|---|---|
| identity.unlink-account | Allows an application to unlink the user’s 3P partner account from their Uber account. |
| identity.web-cookies | Allows caller to request for web cookies as part of the urn:ietf:params:oauth:token-type:jwt requested token type through the Token Exchange grant |
| identity.revoke-web-cookies | Allows caller to revoke all web cookies/sessions for the given user ID and client ID (derived from the client credentials token) |
| identity.scim.update-user | Allows a 3P to update a user's Uber account through a SCIM endpoint in the subdomain configured for the client. |
| identity.scim.delete-user | Allows a 3P to delete a user's Uber account through a SCIM endpoint in the subdomain configured for the client. |
| identity.scim.get-user | Allows a 3P to get a user's Uber account through a SCIM endpoint in the subdomain configured for the client. |