Uber Developers

Authentication

¶ Overview

The Driver API supports the OAuth 2.0 authentication mechanism to gain access to a driver’s data.

¶ User Access Token authentication

The Uber API uses OAuth 2.0 to allow developers to get a user access token to access a single driver’s data. OAuth 2.0 is a specification outlined in RFC 6749 that allows third-party services to make requests on behalf of a driver without accessing passwords and other sensitive information. If you are unfamiliar with OAuth 2.0, check out Aaron Parecki’s “OAuth 2 Simplified” guide.

We strongly recommend that you use a pre-built library to perform the authorization grant and token exchanges for OAuth 2.0. If you go this route, all you will need are the endpoints below and to specify your redirect URL in the application dashboard.

OAuth 2.0 endpoints

Authorization Host	`https://auth.uber.com`
Authorization Endpoint	`https://auth.uber.com/oauth/v2/authorize`
Token Exchange Endpoint	`https://auth.uber.com/oauth/v2/token`

¶ Step 1: Authorize

The first step of the flow is to direct your driver to the authorization URL and supply the query parameters described below.

First, the driver has to grant your app permission to access their data or do actions on their behalf. Uber provides an authorization page where drivers can securely sign in with their Uber username and password to grant permissions to your app. This authorization page is accessed through the authorization URL. To ensure that the driver grants permission to your app properly, supply query parameters to that URL as described below.

https://auth.uber.com/oauth/v2/authorize?client_id=<CLIENT_ID>&response_type=code&redirect_uri=<REDIRECT_URI>

Parameter	Description
`response_type`	OAuth 2.0 response type. `code` is the only acceptable input at this time.
`client_id`	The client ID of your application.
`scope`	Space delimited list of grant scopes you would like to have permission to access on behalf of the driver. Check out Scopes to see the valid subset of scopes for the Driver API. If none is provided the default is the set selected in your application’s dashboard. *It is invalid to provide no scopes and* have none selected in the dashboard.**
`redirect_uri`	The URI we will redirect back to after an authorization by the resource owner. The base of the URI must match the `redirect_uri` used during the registration of your application. If none is provided the default is the first redirect URI provided in the dashboard.
`state` (optional)	State which will be passed back to you to prevent tampering.

After you’ve supplied the needed parameters, present this authorization URL as a link for the driver to visit. Usually, this link will say “Sign in with Uber”.

When drivers visit the authorization page and sign in, they will see a page that looks like this, asking them to authorize your app with the scopes you provided above.

auth-sample

¶ Step 2: Receive redirect

Once the driver authenticates and authorizes your app, Uber will issue an HTTP 302 redirect to the redirect_uri passed in or the default when none is explicitly provided. On that redirect, you will receive a single-use authorization code which expires in 10 minutes.

GET https://your-redirect-uri/?code=AUTHORIZATION_CODE

¶ Step 3: Get an access token

Use the Token Exchange Endpoint to exchange this authorization code for an access_token which will allow you to make requests on behalf of the user.

Example Request:

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=authorization_code' \
     -F 'redirect_uri=<REDIRECT_URI>' \
     -F 'code=AUTHORIZATION_CODE_FROM_STEP_2' \
     https://auth.uber.com/oauth/v2/token

Example Response:

{
    "access_token": "<TOKEN>",
    "expires_in": 2592000,
    "token_type": "Bearer",
    "refresh_token": "REFRESH_TOKEN",
    "scope": "partner.accounts partner.payments partner.trips"
}

The access_token is valid for the time described by expires_in (in seconds). The refresh_token expires after one year and can be used to obtain a new access_token at any time given that your application is still authorized to access the API on behalf of this user.

¶ Step 4: Use bearer token

Pass the access_token returned in the previous step as a bearer token in the Authorization header.

OAuth token (sent in a header)

curl -H 'Authorization: Bearer <TOKEN>' 'https://api.uber.com/v1/partners/me'

¶ Refreshing tokens

When the driver’s access_token has expired, obtain a new access_token by exchanging the refresh_token associated with the access_token. Note: The client ID must match the client ID from the authorization code flow.

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=refresh_token' \
     -F 'refresh_token=REFRESH_TOKEN' \
     https://auth.uber.com/oauth/v2/token

A refresh_token is valid for one year and tokens that have been inactive for more than one year will be invalidated. The client ID must match the client ID from the authorization code flow.

¶ Revoking tokens

There are two ways that a user access token can be revoked: either you revoke it yourself upon the driver’s request, or the driver can go to the Riders Profile page and click ‘Disconnect’ on your app.

Drivers can use their account to login to the Rider dashboard. The Driver Dashboard does not currently display connected applications.

Within your app’s interface, you may present the option of “disconnecting” a driver’s Uber account from your app. Use the revoke endpoint to invalidate a user access token:

curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'token=<TOKEN>' \
     https://auth.uber.com/oauth/revoke

If a driver disconnects your application from the Riders Profile, it will invalidate any existing tokens and your app will not be able to refresh any tokens. To gain access again, you will have to go through the entire flow from Step 1.

¶ Debugging & authentication errors

Expect access token lengths to change over time as Uber makes changes to what is stored in them and how they are encoded. To account for this, please use a variable length data type without a specific maximum size to store access tokens and refresh tokens.

Error	Description
`invalid_request`	Required parameters were not provided.
`invalid_client`	The client ID or secret provided is invalid.
`invalid_grant`	Valid grant types are `authorization_code` and `refresh_token`
`invalid_scope`	The `scope` parameter provided is not a valid subset of scopes.
`server_error`	The server returned an unknown error.
`temporarily_unavailable`	The endpoint is temporarily unable to respond.