Uber Developers

Authentication

POSThttps://auth.uber.com/oauth/v2/token

Access to These APIs May Require Written Approval From Uber

Uber’s APIs are always under development and as such are subject to changes according to our Versioning & Upgrade policy. As part of Uber’s ongoing privacy improvements, we’ve updated our Developer API program with new scope access policies for third party applications. For further information, please refer to our Getting Started guides.

The Eats API supports OAuth 2.0.

¶ Reference

Key	Value
`url`	https://auth.uber.com/oauth/v2/token
`scope`	Space delimited list of scope(s) that you would like to generate a token for.
`grant_type`	Based on scope(s). Either `client_credentials` for an application generated token (to access Store, Menu, Order and Reporting endpoints) or `authorization_code` for a user access token (to access POS Provision endpoints).

¶ Scopes

The following scopes are available for use with the Uber Eats Marketplace APIs. To gain access to scopes in production, your app must first be approved and whitelisted by the Uber Eats team.

Each Eats endpoint requires one of the scopes listed below and the token generated for the scope(s) must be used correspondingly. Note the grant type associated to each scope. Multiple scopes can be authorized using the same access token, provided that the grant type is the same.

Scope	Grant Type	Description
`eats.store`	`client-credentials`	Indicates a token has permission to update and retrieve store and menu information.
`eats.store.status.write`	`client-credentials`	Indicates a token has permission to set store availability (pause/unpause stores without changing menu hours).
`eats.order`	`client-credentials`	Indicates a token has permission to accept/deny/cancel orders and read v1 orders.
`eats.store.orders.read`	`client-credentials`	Indicates a token has permission to read v2 orders.
`eats.report`	`client-credentials`	Indicates a token has permission to generate reports (e.g. transaction reports) for stores.
`eats.pos_provisioning`	`authorization-code`	Indicates a token has permission to setup/remove pos integration and retrieve stores.

¶ Generating a Client Credentials Token

To generate a client credentials token, retrieve your client_id and client_secret for your app from the Developer Dashboard and see the example below. Note this endpoint expects requests to be encoded as application/x-www-form-urlencoded or multipart/form-data.

Note: Client credentials grant type requests will be rate limited to 100 requests per hour. After generating 100 tokens with the client credentials grant type, creating a new token will invalidate the oldest token.

¶ Example Request

curl -F "client_secret=$CLIENT_SECRET" \
    -F "client_id=$CLIENT_ID" \
    -F "grant_type=client_credentials" \
    -F "scope=eats.store" \
    https://auth.uber.com/oauth/v2/token

¶ Example Response

{
  "last_authenticated": 0,
  "access_token": "KA.ewogICJ2ZXJzaW9uIjogMiwKICAiaWQiOiAiZmFuY3kgc2VlaW5nIHlvdSBoZXJlLCBodHRwOi8vdC51YmVyLmNvbS9kZXYtcGxhdGZvcm0tam9icyIsCiAgImV4cGlyZXNfYXQiOiAxNDk3NzQxNjIyLAogICJwaXBlbGluZV9rZXlfaWQiOiAiZm9vYmFyIiwKICAicGlwZWxpbmVfaWQiOiAxCn0K.9jPtNyS9vHJ9HVmxA4Y6vwIcwv7v1tx1BMYwztpIeID",
  "expires_in": 2592000,
  "token_type": "Bearer",
  "scope": "eats.store",
  "refresh_token": ""
}

¶ Usage

The access_token field will contain the token used to authenticate against the Uber Eats APIs. Once you’ve obtained this token, you can provide it in the “Authorization” header of requests you make to endpoints that require client credentials scopes.

The expires_in field indicates the lifetime of the access token, provided in seconds. Tokens are valid for 30 days (2,592,000 seconds) and should be cached and re-used across requests until (or shortly before) expiration, not re-generated per request.

curl \
  -H 'authorization: Bearer <TOKEN>' \
  https://api.uber.com/v1/eats/stores

¶ Generating a User Access Token

The Uber API uses OAuth 2.0 to allow developers to get a user access token to access a single user’s data or do actions on their behalf. For steps on generating a user access token, refer to our User Access Token guide.

¶ FAQ

Can I use a user access token to execute on Menu and Order endpoints?

No. Menu and Order endpoints require an application-generated (client credentials) access token. It is not possible to generate one token with both eats.pos_provisioning (authorization_code grant type) and eats.order (client_credentials grant type) scopes.

Can my access token have multiple scopes associated?

Yes, if the scopes have the same grant type. For example, a single token can be generated to retrieve a store’s location data (eats.store); update a store’s status (eats.store.status.write); retrieve and accept an order (eats.order); and access a transaction report (eats.report).

¶ Next Steps

See the POS Provision guide for steps to set up programmatic provisioning for your stores.