Uber Developers

Authentication

To access the Direct API, you will need a valid access token from our OAuth service. All calls to https://api.uber.com/ leverage OAuth 2.0 with the client_credentials grant type.

OAuth2.0 specification is outlined in RFC 6479

¶ Get an Access Token

To generate an access token, retrieve your application’s client_id and client_secret from the Direct Dashboard.

Direct Dashboard Developers Tab

¶ Authentication Request

The authentication endpoint expects requests to be encoded as application/x-www-form-urlencoded or multipart/form-data

Header Type #1: application/x-www-form-urlencoded

curl --request POST 'https://auth.uber.com/oauth/v2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=eats.deliveries'

Header Type #2: multipart/form-data

curl --request POST 'https://auth.uber.com/oauth/v2/token' \
--header 'Content-Type: multipart/form-data' \
--form 'client_id="<CLIENT_ID>"' \
--form 'client_secret="<CLIENT_SECRET>"' \
--form 'grant_type="client_credentials"' \
--form 'scope="eats.deliveries"'

Parameter	Description
`client_id`	The Client ID of your application, retrieved from the Direct Dashboard.
`client_secret`	The Client Secret of your application. This should be treated like your application password.
`grant_type`	To access the Uber Direct API, authenticate your application by setting this to the `client_credentials` grant type. This will create an OAuth 2.0 access token with the specified scope.
`scope`	Specifies the Uber developer endpoints that this token has access to. For Direct APIs, the scope will always be: `eats.deliveries`. For Org APIs, the scope will always be: `direct.organizations`

¶ Authentication Response

{
  "access_token": "<TOKEN>",
  "expires_in": 2592000,
  "token_type": "Bearer",
  "scope": "eats.deliveries"
}

The access_token field will contain the token used to authenticate against the Uber Direct APIs.

The expires_in field indicates the lifetime of the access token, provided in seconds. Tokens are valid for 30 days (2,592,000 seconds) and should be cached and re-used across requests until (or shortly before) expiration. It should NOT be re-generated per request. Existing tokens cannot be refreshed, but new tokens can be created as many times as needed.

Note: Client credential grant type requests will be rate limited to 100 requests per hour.

For examples on obtaining the access token using Node.js and Python, please refer to the following resources:

¶ Example Node.js

var request = require('request');

// Set the API endpoint and request options
var options = {
  method: 'POST',
  url: 'https://auth.uber.com/oauth/v2/token',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  form: {
    client_id: '<CLIENT_ID>', // Replace with your actual Client ID
    client_secret: '<CLIENT_SECRET>', // Replace with your actual Client Secret
    grant_type: 'client_credentials',
    scope: 'eats.deliveries', // The scope of access required
  },
};

// Send the request to Authorization API
request(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.body); // Print the response body containing the access token
});

¶ Example Python

import requests

url = "https://auth.uber.com/oauth/v2/token"

# Set the payload with required parameters
payload = {
    'client_id': '<CLIENT_ID>',         # Replace with your actual Client ID
    'client_secret': '<CLIENT_SECRET>', # Replace with your actual Client Secret
    'grant_type': 'client_credentials',
    'scope': 'eats.deliveries',         # The scope of access required
}

headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}

# Send the request to Authorization API
response = requests.post(url, headers=headers, data=payload)

print(response.text)  # Print the response text containing the access token

¶ Access Token Usage

Pass the access_token returned in the previous step as a bearer token in the Authorization header of other Direct API endpoints.

Note that all Direct endpoints besides Authentication (above) expect requests to be encoded as application/json. See below example in curl for Create Quote API:

curl --request POST 'https://api.uber.com/v1/customers/<customer_id>/delivery_quotes' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <TOKEN>' \
--data-raw '{
    "pickup_address": "{\"street_address\": [\"20 W 34th St\", \"Floor 2\"],\"state\":\"NY\",\"city\":\"New York\",\"zip_code\":\"10001\",\"country\":\"US\"}",
  "dropoff_address": "{\"street_address\": [\"285 Fulton St\", \"\"],\"state\":\"NY\",\"city\":\"New York\",\"zip_code\":\"10006\",\"country\":\"US\"}"

}'

Parameter	Description
`customer_id`	Unique 128-bits UUID for the organization. It can be found under the Developers tab in Direct Dashboard.
`TOKEN`	The `access_token` returned in the previous step, used to authenticate against the Uber Direct APIs.

¶ Authentication Error Codes

Parameter	Description
`invalid_request`	Required parameters were not provided.
`invalid_client`	The client ID or secret provided is invalid.
`invalid_scope`	The scope provided is invalid
`server_error`	The server returned an unknown error.
`unauthorized`	Invalid OAuth 2.0 credentials provided.