Uber Developers

Organization Authorization Update Notification

WEBHOOK: POSThttps://<YOUR_WEBHOOK_URI> event_type: organization_management.authorization_updated

Event indicating that an organization’s authorization is updated.

¶ Retry Attempts

If for some reason the Uber API cannot reach the webhook URL you specified either due to networking issues or application issues on your end, the webhooks service will retry to make a request.

We have implemented an exponential back-off algorithm with a back-off multiplier of 30 seconds which will make up to 7 attempts. This means we will attempt to request your webhook URL up to 7 times across roughly 1 hour.

¶ Webhook Headers

The Uber API will insert specialized headers for all requests made to your webhook URL to help your application utilize them appropriately.

Header	Description
`X-Environment`	Indicates if this request is coming from the `production` or `sandbox` API.
`X-Uber-Signature`	SHA256 hash of the request body, computed using the app’s signing key as the key.

¶ Webhook Security

Webhook messages are signed so that your app can verify that the sender is Uber. Webhooks requests contain an X-Uber-Signature header. The value of this field is a hexadecimal HMAC signature of the webhook HTTP request body, using signing key of primary webhook url as a key and SHA256 as the hash function.

Python Example

digester = hmac.new(signing_key, webhook_body, hashlib.sha256)
return digester.hexdigest()

Due to a strict interpretation of the JSON specification by JavaScript, if there are backslashes sent in the POST body, they will be removed upon parsing. This prevents webhook receivers implemented in NodeJS from verifying the webhook signature accurately. We are working on removing all backslashes from the payload in order to avoid this situation and will remove this note when that work is done.

¶ Polling

For critical applications, we recommend complementing your webhook’s implementation with regular polling in case webhook notifications are lost.

¶ Webhook Event Structure

Name	Type	Description
`event_type`	`string`	The type of event that occurred.
`organization_id`	`string`	Organization ID for which authorization was updated
`partner_data`	`object`	Partner specific payload. (Can have custom key value pairs) [Available for specific partners]
`scopes`	`[]string`	List of Scopes for which authorization was updated
`status`	`string`	Authorization Status of Organization (GRANTED/REVOKED)
`event_type`	`string`	Event Type
`webhook_meta`	`object`	The object containing additional information that is specific to the `webhook`.
`webhook_meta.client_id`	`string`	Client ID for the developer
`webhook_meta.webhook_config_id`	`string`	Unique identifier of the webhook type.
`webhook_meta.webhook_msg_timestamp`	`integer`	Unix timestamp of the time when the webhook event was pushed.
`webhook_meta.webhook_msg_uuid`	`string`	Unique identifier, which can be used to ensure that the webhooks are digested only once.

¶ Example Webhook

{
  "event_type": "organization_management.authorization_updated",
  "organization_id" :"00000-9435-4883-a320-dfb09dabcefg",
  "scopes":["business.receipts", "business.employees"],
  "status":"GRANTED",
  "partner_data": {
    "partner_identifier": "000000-1e41-4a79-b786-c60fa164335a"
  },
  "webhook_meta": {    
    "client_id": "uDfYYQXG8GKuc47JVIwxyzspOB_AbcDe",
    "webhook_config_id": "u4b-business.organization-authorization-updated",
    "webhook_msg_timestamp": 1676458033,
    "webhook_msg_uuid": "f543d5e2-ea44-41e5-a395-e7fc9344a0e7"
  }
}