Three lines



POST /token

You are viewing the latest version of this endpoint.

API Authentication: OAuth 2.0 Token Endpoint

The POST /token endpoint allows you to authorize your application and get an access_token using the authorization_code or client_credentials grant. You can also refresh the access_token using the refresh_token grant.



Note: This endpoint requires as a base URL.



POST Parameters
Parameter Type Description
client_id string The Client ID of your application.
client_secret string The Client Secret of your application.
grant_type string The Grant Type is either authorization_code, client_credentials, or refresh_token.
redirect_uri string The URI we will redirect back to after an authorization by the resource owner. The base of the URI must match the redirect_uri used during the registration of your application.
code string The authorization code.
scope string The space delimited list of scopes.

Example Request - Access Token (authorization_code)

Exchange an authorization code for an access_token, which will allow you to make requests on behalf of a user.

curl -F 'client_secret=<CLIENT_SECRET>' \
    -F 'client_id=<CLIENT_ID>' \
    -F 'grant_type=authorization_code' \
    -F 'redirect_uri=<REDIRECT_URI>' \
    -F 'scope=profile' \
    -F 'code=<AUTHORIZATION_CODE>' \

Note: Access tokens are valid for 30 days. The expiration time is specified in seconds in the ‘expires_in’ key of the token payload. Note: The client ID must match the client ID from the authorization code flow.

Example Request - Refresh Token

If you requested the access token with the offline_access scope the response will include a refresh_token which can be used to refresh the access_token.

curl -F 'client_secret=<CLIENT_SECRET>' \
    -F 'client_id=<CLIENT_ID>' \
    -F 'grant_type=refresh_token' \
    -F 'refresh_token=<REFRESH_TOKEN>' \

Example Request - Access Token (client_credentials)

Some Uber API endpoints require scopes that are only available via Client Credentials grant. Generally, these scopes don’t control access to any individual users’ information, but instead provide the application itself the authorization to perform certain tasks in the API.

Note It is not possible to mix scopes that require the client credentials grant (app) and scopes that require the authorization grant (user). Please separate the requests for those scopes.

Note: Client credentials grant type requests will be rate limited to 100 requests per hour. After generating 100 tokens with the client credentials grant type, creating a new token will invalidate the oldest token.

  -F "client_id=<CLIENT_ID>" \
  -F "client_secret=<CLIENT_SECRET>" \
  -F "grant_type=client_credentials" \


Status-Code: 200 OK

    "access_token": "xxx",
    "token_type": "Bearer",
    "expires_in": 2592000,
    "refresh_token": "xxx",
    "scope": "profile history"

The access_token is good for a limited period of time described by the expires_in field (in seconds).

Error Responses

Here are common error responses and the possible reason for each response.

Status Code: 401 Unauthorized

  "error": "invalid_grant"
  1. You are using an invalid refresh_token. You can generate multiple access tokens, but you can only use the latest generated refresh_token.
  2. You supplied an invalid code when exchanging an authorization code for an access_token.

Status Code: 400 Bad Request

  "error": "unsupported_grant_type"

You supplied an invalid string for grant_type field. Only refresh_token, authorization_code and client_credentials are valid values.

Status Code: 401 Unauthorized

  "error": "invalid_client"

Either your client_id or client_secret is invalid.


© 2023 Uber Technologies Inc.