Integration Guide - Testing
¶ Testing
In this section, learn how to test your requests before you send them to Uber, use the Sandbox testing environment, and perform production testing.
¶ Sandbox testing
This environment resembles production as much as possible. You test your integration on this environment. Your scenario functions similar to how they work in a production environment except accounts are test accounts.
You should make requests to the Sandbox and testing environments to:
https://sandbox-api.uber.com/
¶ Sandbox deposit
This endpoint initializes a deposit and calls the partner init-deposit
endpoint. It generates a deposit URL. It is for testing only and Uber refuses any request on the production environment. The endpoint you call is: POST /v1/payments/deposits/:id/init
¶ Sandbox authentication
The sandbox public key is the following:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnYzMrDq+EnccKtcs5gQM
uP5aDe9WzdBGyUiervrFCEXmVW+T2nsSKJJR02H84LBKPjz2ioI3L289q1Qx1gj7
gvV9VZCaKejIsdKWnM5QW/1VvARWL2diScZzp5OxKX78X8aevvts79B9cVZUiEOU
E4+TTe9qLOQvbc9SssTbdqiA+1xqU+wW7IfHm5cC5kLb+Kv3pqJ63lMTx2L1iNuO
xinwun8lpdRl2+c7LswqqpUfI7Hfk0QF/XJO01BXsDxCzxkuHoWa4SNL+gNx3M69
vc5ymlZHJNZRPLMIe4+VVRaDe0dCOUcHz3cmXCjkLKfdd3JFAG+8FU/CvE1qzyP4
pwIDAQAB
-----END PUBLIC KEY-----
See the Signature validation section for more details.
¶ Path parameters
Name | Type | Description |
---|---|---|
id |
UUID | Deposit ID |
¶ Request
Name | Type | Description |
---|---|---|
funding_method |
String | The payment method used to fund this deposit |
country_iso2 |
String | The country in which this deposit is created — ISO3166 |
destination |
<Object> | Should be left empty for this request |
amount |
<Object> | Value of currency, ISO4217. The value is in E5 format (x * 100000). For example, 10 BRL is: {"value": 1000000, "currency": "BRL"} |
locale |
String | Locale is used for the UI experience |
¶ Example request
You should leave the destination field in the request empty, and Uber inserts a test user value. You can use the example below and replace $token
with the API key, and replace $id
with a new, generated UUID.
curl -X POST \
"https://sandbox-api.uber.com/v1/payments/deposits/$id/init"
-H "Authorization: Bearer $token" \
-H 'Content-Type: application/json' \
-d '{
"funding_method": "BOLETO",
"country_iso2": "BR",
"destination": {},
"amount": {
"value": 100000,
"currency": "BRL"
},
"locale": "pt-BR"
}'
The following is an example response to the example request:
{
"deposit_url": "https://api.partner.com/checkout?id=merchant_reference"
}
¶ Signature validation
This is how an init-deposit request from Uber looks like:
curl -X POST \
https://uber.partner.com/v1/payments/init-deposit \
-H 'Accept-Language: pt-BR' \
-H 'Date: Sat, 08 Jun 2019 20:51:35 GMT' \
-H 'Digest: SHA-256=YSBHoalsyyGKflQVxab5PvyRhpB+PzZ18iSWIaX5vtY==' \
-H 'Signature: keyId="rsa-key", algorithm="rsa-sha256",
headers="(request-target) host date digest",
signature="bclwlUnUAE4IqMf7J/4GcgD32YMusPt0VkfM9AQX6MHKWf+59VRrNMZuyTzlmgUYzi5m79jONfReHqG/2dj99NkobwoT4XcZp2gWNrlIz2dpsyY0Nt3adOXThfAd2vDYXJtHsscKHBd5+f78GZQl3vCS3f2Wm0PiOZfqAr01YwGzpRVie0IcuWI7BEKd/fwjbaCPJc40Yax4grnA7O676T32e3qjRR0nwvg+jR2lzoIEYfg6dLHooGZdagl9riVPMO0c92GVf/48RWLZZd1mZQcfBxxDRwRaWRo10LQ+Mb/4p6aeLm9ilzafGL5ZJ8JiANETotq0eJSHNI2A0V+7uQ=="'
-H 'X-Correlation-ID: c900d4dd-7070-4e0b-9323-8f24cfde0490' \
-H 'Content-Type: application/json' \
-d '{"funding_method":"BOLETO","destination":{"owner_id":"105b9291-6ff1-4938-899e-4bfafa69a6c7","id":"cHBfNjFhN2QyODktZmI3Mi00YzgxLThlYjAtODRlZDIyMjFmNDNi"},"source":{"owner_id":"a66b36d5-887c-4e7c-9edb-9fcbef108e83","id":"Z3NfYTE0OGQ5MzMtOGVkMS00MzA0LThiNzAtNTE0MjMyMzg2MjQw"},"amount":{"value":100000,"currency":"BRL"},"country_iso2":"BR","description":"I’m a deposit in sandbox.","session_id":"8b31b7f4-3542-4391-817c-d496ce84a7ae","initiated_at":"2019-06-08T20:51:35Z","return_url":"uber://payments/deposit?correlation_id=c900d4dd-7070-4e0b-9323-8f24cfde0490"}'
You can test your requests before you send them to Uber with the OpenSSL cmd-line. For example:
openssl dgst -sha256 -verify {PUBLIC_KEY_FILE} -signature {SIGNATURE_FILE} {DECODED_HEADERS_FILE}
PUBLIC_KEY_FILE
: Public key fileSIGNATURE_FILE
: File containing only the signature of the header,base64
decoded. For the above example, this file contains the result of the command.
For example, the SIGNATURE_FILE
looks like this:
echo bclwlUnUAE4IqMf7J/4GcgD32YMusPt0VkfM9AQX6MHKWf+59VRrNMZuyTzlmgUYzi5m79jONfReHqG/2dj99NkobwoT4XcZp2gWNrlIz2dpsyY0Nt3adOXThfAd2vDYXJtHsscKHBd5+f78GZQl3vCS3f2Wm0PiOZfqAr01YwGzpRVie0IcuWI7BEKd/fwjbaCPJc40Yax4grnA7O676T32e3qjRR0nwvg+jR2lzoIEYfg6dLHooGZdagl9riVPMO0c92GVf/48RWLZZd1mZQcfBxxDRwRaWRo10LQ+Mb/4p6aeLm9ilzafGL5ZJ8JiANETotq0eJSHNI2A0V+7uQ== | base64 -D
DECODED_HEADERS_FILE
: File containing headers that are being used to form the signature text, for the example above the file looks like this:
(request-target): post /v1/payments/init-deposit
host: uber.partner.com
date: Sat, 08 Jun 2019 20:51:35 GMT
digest: SHA-256=YSBHoalsyyGKflQVxab5PvyRhpB+PzZ18iSWIaX5vtY=
Note that for the openssl
validation command to work, do not provide a line ending character at the end of DECODED_HEADERS_FILE
or SIGNATURE_FILE
.
You should only include :{PORT}
in case of non-standard ports for the given scheme as we show in the example above. For example, since port 443
is the default port for the https
scheme, we don’t include it in the resulting host
header text in the above example with URL https://uber.partner.com/v1/payments/init-deposit
. If the URL is https://uber.partner.com:9443/v1/payments/init-deposit
, then you should provide the host header with uber.partner.com:9443
.
We perform signature validation based on the order of the header items are important for the signature validation. Therefore, you should provide it as (request-target), host, date, digest
.
¶ Production testing
When you launch the app or service for your customers, integrate with this environment.You are responsible for any money the system deposits into customer accounts when you call this API in production. Do not share production API keys. Follow the security best practices in dealing with the production environment and when you handle all the associated data including the API key.