Three lines

Uber

Developers

Certs

GEThttps://auth.uber.com/oauth/v2/certs

You are viewing the latest version of this endpoint.

Overview

In this doc we will cover how to validate the ID Token provided with Uber OAuth server (based on OIDC Core 1.0 specification)

Prerequisite

We assume you have already done the following when you are reading this page

  1. registered an account and created Uber developer application at https://developer.uber.com
  2. requested OAuth scopes for your application(if not please contact your Uber Partner Engineer or Account Executive)
  3. have an id_token from User ID Token

Validate ID Token - Manual integration

It’s encouraged to conduct manual test before programmatically integrating with your production system. This section provides step-by-step guide to manually generate access token with the asymmetric key.

Step 1: Validating token headers

The example below retrive the JWK from Uber, this is required to validate the the id_token emission using the kid from the JWK and the kid header from the id_token.

THE kid header from /certs is rotated periodically.

# request
curl -X GET "https://auth.uber.com/oauth/v2/certs"

# response

```json
{
 "keys": [
  {
   "kid": "kid",
   "kty": "kty",
   "alg": "RS256",
   "use": "sig",
   "e": "AQAB",
   "n": "n"
  }
 ]
}

Verify each key in the response keys list for a matching kid on the id_token header, visit Validating the ID Token to learn more about the security reasons for validating the id_token.

Below is a snippet on how to transform the JWK into a public key which will validate the id_token signature.

  const jwt = require("jwt");
  const jwkToPEM = require("jwk-to-pem")

  UberAPI.auth.requestTokens().then((response, error) => {
    if (error) {
      throw error
    }

    const decodedToken = jwt.decode(response.access_token, {complete: true})
    const kid = decodedToken.headers.kid

    const response = await fetch('https://auth.uber.com/oauth/v2/certs');
    const jwkResponse = await response.json()

    const signatureKey = null
    for (key of jwkResponse.keys) {
      if (key.kid === kid) {
        signatureKey = key
        break
      }
    }

    if (!signatureKey) {
      throw new Error();
    }

    const publicKey = jwkToPEM(signatureKey)
    try {
      const decoded = jwt.verify(token, publicKey);
      console.log(decoded)
    } catch (e) {
      throw new Error();
    }
  })

Besides verifying the token signature, it’s important to check if all the obrigatory claims are correct, following the list:

  • iss: The Client ID of the application;
  • sub: The Client ID of the application;
  • aud: auth.uber.com;
  • exp: The expiration time of the JWT;
  • jti: An unique identifier for the JWT;
  • iat: The time at which the JWT was issued.

And the following headers:

  • alg: RS256;
  • typ: JWT;
  • kid: Key UUID from key file.

Step 2: Validating nonce claims

After successfully receiving the ID Token and validating its header (e.g., signature, algorithm), the next critical step for the client is to validate the nonce claim from the token payload.

Step 2.1: Validation Process

The client must securely store the nonce it generated and sent in the initial authorization request (e.g., in a session cookie or local storage, strictly bound to the user’s session).

Step 2.2: Comparison

Compare the extracted nonce from the ID Token payload with the nonce originally sent by the client.

If the nonces match: The validation is successful. This confirms that the ID Token was issued in response to the specific authentication request made by this client for this session, significantly mitigating replay attacks. The client can proceed to process the ID Token and establish the user’s session.

If the nonces do not match: The validation fails. The client must reject the ID Token and abort the authentication process. This indicates a potential security concern, such as a replay attack or token tampering.

Error Code

This section covers possible error code and message

Type Code Description type
server_error 405 http method not allowed text/plain
server_error 500 server error text/plain

Uber

Developers
© 2025 Uber Technologies Inc.