Three lines

Uber

Developers
Docs
Search

Certs

GEThttps://auth.uber.com/oauth/v2/certs

You are viewing the latest version of this endpoint.

Overview

In this doc we will cover how to validate the ID Token provided with Uber OAuth server (based on OIDC Core 1.0 specification)

Prerequisite

We assume you have already done the following when you are reading this page

  1. registered an account and created Uber developer application at https://developer.uber.com
  2. requested OAuth scopes for your application(if not please contact your Uber Partner Engineer or Account Executive)
  3. have an id_token from User ID Token

Validate ID Token - Manual integration

It’s encouraged to conduct manual test before programmatically integrating with your production system. This section provides step-by-step guide to manually generate access token with the asymmetric key.

Example request and response

The example below retrive the JWK from Uber, this is required to validate the the id_token emission using the kid from the JWK and the kid header from the id_token.

THE kid header from /certs is rotated periodically.

# request
curl -X GET "https://auth.uber.com/oauth/v2/certs"

# response

```json
{
 "keys": [
  {
   "kid": "kid",
   "kty": "kty",
   "alg": "RS256",
   "use": "sig",
   "e": "AQAB",
   "n": "n"
  }
 ]
}

Verify each key in the response keys list for a matching kid on the id_token header, visit Validating the ID Token to learn more about the security reasons for validating the id_token.

Below is a snippet on how to transform the JWK into a public key which will validate the id_token signature.

  const jwt = require("jwt");
  const jwkToPEM = require("jwk-to-pem")

  UberAPI.auth.requestTokens().then((response, error) => {
    if (error) {
      throw error
    }

    const decodedToken = jwt.decode(response.access_token, {complete: true})
    const kid = decodedToken.headers.kid

    const response = await fetch('https://auth.uber.com/oauth/v2/certs');
    const jwkResponse = await response.json()

    const signatureKey = null
    for (key of jwkResponse.keys) {
      if (key.kid === kid) {
        signatureKey = key
        break
      }
    }

    if (!signatureKey) {
      throw new Error();
    }

    const publicKey = jwkToPEM(signatureKey)
    try {
      const decoded = jwt.verify(token, publicKey);
      console.log(decoded)
    } catch (e) {
      throw new Error();
    }
  })

Besides verifying the token signature, it’s important to check if all the obrigatory claims are correct, following the list:

  • iss: The Client ID of the application;
  • sub: The Client ID of the application;
  • aud: auth.uber.com;
  • exp: The expiration time of the JWT;
  • jti: An unique identifier for the JWT;
  • iat: The time at which the JWT was issued.

And the following headers:

  • alg: RS256;
  • typ: JWT;
  • kid: Key UUID from key file.

Error Code

This section covers possible error code and message

Type Code Description type
server_error 405 http method not allowed text/plain
server_error 500 server error text/plain
Overview
Prerequisite
Validate ID Token - Manual integration
Example request and response
Error Code

Uber

Developers
Docs
© 2025 Uber Technologies Inc.
Privacy
Accessibility
Terms