Uber Developers

POST /token

You are viewing the latest version of this endpoint.

¶ API Authentication: OAuth 2.0 Token Endpoint

The POST /token endpoint allows you to authorize your application and get an access_token using the authorization_code or client_credentials grant. You can also refresh the access_token using the refresh_token grant.

¶ Resource

POST https://auth.uber.com/oauth/v2/token

Note: This endpoint requires https://auth.uber.com as a base URL.

¶ Authorization

None

¶ POST Parameters

Parameter	Type	Description
`client_id`	`string`	The Client ID of your application.
`client_secret`	`string`	The Client Secret of your application.
`grant_type`	`string`	The Grant Type is either `authorization_code`, `client_credentials`, or `refresh_token`.
`redirect_uri`	`string`	The URI we will redirect back to after an authorization by the resource owner. The base of the URI must match the `redirect_uri` used during the registration of your application.
`code`	`string`	The authorization code.
`scope`	`string`	The space delimited list of scopes.

¶ Example Request - Access Token (authorization_code)

Exchange an authorization code for an access_token, which will allow you to make requests on behalf of a user.

curl -F 'client_secret=<CLIENT_SECRET>' \
    -F 'client_id=<CLIENT_ID>' \
    -F 'grant_type=authorization_code' \
    -F 'redirect_uri=<REDIRECT_URI>' \
    -F 'scope=profile' \
    -F 'code=<AUTHORIZATION_CODE>' \
    https://auth.uber.com/oauth/v2/token

Note: Access tokens are valid for 30 days. The expiration time is specified in seconds in the ‘expires_in’ key of the token payload. Note: The client ID must match the client ID from the authorization code flow.

¶ Example Request - Refresh Token

If you requested the access token with the offline_access scope the response will include a refresh_token which can be used to refresh the access_token.

curl -F 'client_secret=<CLIENT_SECRET>' \
    -F 'client_id=<CLIENT_ID>' \
    -F 'grant_type=refresh_token' \
    -F 'refresh_token=<REFRESH_TOKEN>' \
    https://auth.uber.com/oauth/v2/token

¶ Example Request - Access Token (client_credentials)

Some Uber API endpoints require scopes that are only available via Client Credentials grant. Generally, these scopes don’t control access to any individual users’ information, but instead provide the application itself the authorization to perform certain tasks in the API.

Note It is not possible to mix scopes that require the client credentials grant (app) and scopes that require the authorization grant (user). Please separate the requests for those scopes.

Note: Client credentials grant type requests will be rate limited to 100 requests per hour. After generating 100 tokens with the client credentials grant type, creating a new token will invalidate the oldest token.

curl
  -X POST
  -F "client_id=<CLIENT_ID>" \
  -F "client_secret=<CLIENT_SECRET>" \
  -F "grant_type=client_credentials" \
  -F "scope=SPACE_DELIMITED_LIST_OF_SCOPES" \
  "https://auth.uber.com/oauth/v2/token"

¶ Response

Status-Code: 200 OK

{
    "access_token": "xxx",
    "token_type": "Bearer",
    "expires_in": 2592000,
    "refresh_token": "xxx",
    "scope": "profile history"
}

The access_token is good for a limited period of time described by the expires_in field (in seconds).

¶ Error Responses

Here are common error responses and the possible reason for each response.

Status Code: 401 Unauthorized

{
  "error": "invalid_grant"
}

You are using an invalid refresh_token. You can generate multiple access tokens, but you can only use the latest generated refresh_token.
You supplied an invalid code when exchanging an authorization code for an access_token.

Status Code: 400 Bad Request

{
  "error": "unsupported_grant_type"
}

You supplied an invalid string for grant_type field. Only refresh_token, authorization_code and client_credentials are valid values.

Status Code: 401 Unauthorized

{
  "error": "invalid_client"
}

Either your client_id or client_secret is invalid.