All Uber APIs utilize OAuth 2.0, an industry standard protocol for Authorization. For more details about this protocol, refer here.

Uber’s Rental and Fleet Platform APIs use two modes of authorization:

• Authorization Code Grant and Client Credentials Grant. Authorization Code Used for APIs that access or expose information for a specific driver. This grant type involves an authorization code exchanged for an access token, providing secure and controlled access to driver-specific data.
• Client Credentials: Applied to APIs that do not require user-specific data. This grant type allows applications to authenticate directly and obtain an access token, suitable for general application access to the platform.

¶ OAuth using Authorization Code

The following describes the process for performing actions on behalf of a User, especially in cases involving data sharing within the user’s context. Examples include accessing user profile information, trip data, or saved locations. To use this authorization mode, explicit user consent is required to ensure compliance with data privacy regulations.

Supplier companies need to obtain an access token for the corresponding driver to call endpoints that provide driver information. The steps for obtaining the access token for a driver are outlined below (assuming that you already have a developer application to play with. Otherwise, go back here):

1. Application configuration

Supplier companies need to expose two HTTP endpoints: <REDIRECT_URI> and <PRIVACY_POLICY_URL>.

<REDIRECT_URI>	After a driver completes the OAuth process, an HTTP redirect will be made to this URL with an authorization code. This code can then be exchanged at the token exchange endpoint to obtain an access token corresponding to the driver.
<PRIVACY_POLICY_URL>	This URL links the OAuth screen to the rental company’s data handling policy, providing transparency about how driver data will be used and protected.

Both the Redirect URI and Privacy Policy URL must be registered in the developer dashboard.

2. Authorization

Initially, the driver must grant the application permissions to access their data or perform actions on their behalf. Uber provides an authorization page where drivers can securely sign in with their Uber username and password to grant permissions to the application. This authorization page is accessed via the authorization URL. To ensure proper permission-granting, query parameters must be supplied to that URL as described below.

https://bonjour.uber.com/marketplace/vehicle-solutions-agreement?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&response_type=code&scope=<SCOPES>&state=<STATE>

Parameter	Description
state	The state parameter serves as an identifier for the rental company to recognize the driver for whom the flow was triggered. This state will be passed back unaltered with the redirect.
clientID	Client ID of the application registered on the developer dashboard.
response_type	Should be hard-coded as code.
scope	Space-delimited list of grant scopes you would like to have permission to access on behalf of the driver. The OAuth screen will show these scopes while asking for a driver’s consent. Check the API reference for scope names.
redirect_uri	URL where the redirect will happen after the OAuth flow is completed. If none is provided, the first URL from the developer dashboard’s application will be used.

After supplying the necessary parameters, present this authorization URL as a link for the driver to visit. This link typically prompts the user to “Sign in with Uber”.

When the driver visits the authorization page, they will be taken through a few authorization steps to authorize the app.

3. Handling the redirection

After successful authentication and authorization of the app by the driver, Uber will initiate an HTTP 302 redirect to the specified redirect URI or default URI if not explicitly provided. During this redirect, the app will receive a single-use authorization code, which has a 10-minute expiration period.

You can use the single-use authorization code received in the previous step as a bearer token in the Authorization header.

GET https://<rental_company_base_uri>/redirect?code=<AUTHORIZATION_CODE>&state=<state>

4. Access token acquisition

Utilize the Token Exchange Endpoint to swap the authorization code for an access token. This access token enables you to make requests on behalf of the user and access any API that shares the user-related information.

• Token Exchange Endpoint

  https://auth.uber.com/oauth/v2/token
  

• Request

  curl --location 'https://auth.uber.com/oauth/v2/token' \
     --form 'client_secret="<CLIENT_SECRET>"' \
     --form 'client_id="<CLIENT_ID>"' \
     --form 'grant_type="authorization_code"' \
     --form 'redirect_uri="<REDIRECT_URI>"' \
     --form 'code="AUTHORIZATION_CODE_FROM_STEP_2"'
  

• Response

  {
     "access_token": "<TOKEN>",
     "expires_in": 2592000,
     "token_type": "Bearer",
     "refresh_token": "<REFRESH_TOKEN>",
     "scope": "SCOPES_PASSED_EARLIER_FOR_OAUTH"
  }
  

Note that this token has an expiration (as specified by expires _in field) and then it needs to be refreshed using a refresh token (which expires in 1 year).

5. Authorization with bearer tokens Pass the access _token obtained in the previous step as a bearer token in the Authorization header.

Curl -H 'Authorization: Bearer <TOKEN>' 'https://api.uber.

¶ Token management

Token Management is crucial for maintaining secure access to our platform. It involves generating, refreshing, and revoking access tokens. Follow this link for detailed guidelines on token generation, refreshing token, and revoking token.

¶ Oauth Authorization code flow guide

¶ OAuth using Client Credentials

The Client Credentials grant type is another authentication method to authorize APIs. It is specifically designed for actions performed on behalf of an application, rather than an individual user. This grant type is suitable for scenarios where APIs do not require access to user-specific data, such as system-level integrations or machine-to-machine communication. For example, our Rides API, price and estimated endpoint, Eats Menu API, etc.

Getting Access Token

To obtain an Access Token using the Client Credentials grant type, three essential components are required:

• Client ID: A unique identifier assigned to your application when you register it on the platform.
• Client Secret: A confidential key associated with your application, used for authentication during token exchange.
• Scope Names: Specific permissions or scopes that define the actions your application is allowed to perform.

Steps to Obtain Client Credentials

1. Create and Configure Your Application:

   • Log in to the Uber Developer Dashboard.
   • Click on Create Application.
   • Fill in the required details (e.g., privacy policy URLs, redirect URLs) in the setup tab.
   • Once created, your application will appear under the TestApp section as shown in Fig 1.

2. Access Token via Client Credentials:

   • Navigate to the Access Token section under your application settings.
   • Select the Client Credentials option.
   • Note the Scopes Authorized displayed. These are the permissions an application requires.

3. Generate Client ID and Client Secret:

   • Click on Generate to create your Client ID and Client Secret.
   • Save these credentials securely. They are essential for authenticating an application and obtaining an access token.

   Example Request:

   curl --location 'https://auth.uber.com/oauth/v2/token' \
      --form 'client_secret="<CLIENT_SECRET>"' \
      --form 'client_id="<CLIENT_ID>"' \
      --form 'grant_type="client_credentials"' \
      --form 'scope="<SPACE_DELIMITED_LIST_OF_SCOPES>"'
   

   In this request provide Client ID, Client Secret, Grant Type (set to Client_Credentials for client credential flow) and Scopes which the developer wants to access.

   Example Response:

   {
      "access_token": "<TOKEN>",
      "expires_in": 2592000,
      "token_type": "Bearer",
      "refresh_token": "<REFRESH_TOKEN>",
      "scope": "SCOPES_PASSED_EARLIER_FOR_OAUTH"
   }
   

   Upon successful authentication and authorization, the platform returns an Access Token, along with additional information such as the expiration time (expires_in), token type (Bearer), a Refresh Token for token renewal, and the associated scope.

4. Access Token Expiration

   • The Access Token obtained through the Client Credentials flow has a limited lifespan, as indicated by the expires_in field in the response. Typically, Access Tokens expire after a certain period of time. It’s crucial to manage token expiration and implement token refreshing mechanisms to maintain secure and uninterrupted access to APIs.

¶ Notes

• Encryption/Decryption Process All drivers’ personal identifiers exposed through the API need to be encrypted through a standard encryption process. The details about the encryption and decryption process are mentioned below.

  Prerequisite

  • The 3rd party will generate the RSA public-private key pair (2048-bit key size) and share the public key with Uber through an encrypted channel (Your Uber POC will connect you to the engineering team).

  Encryption

  • Uber will generate an AES symmetric key.
  • This symmetric key will be used to encrypt the driver identifiers. RSA is not directly used because it is non-performant for large objects, whereas AES is more efficient for those cases.
  • The driver’s personal identifier will be encrypted using the above-mentioned symmetric key by the aes-256-gcm algorithm. GCM mode ensures the integrity of the payload. In the encrypted payload, the first 12 bytes contain the IV, and the rest contains the data.
  • The symmetric key will be encrypted using the pre-supplied RSA public key and the RSA-OAEP algorithm.
  • The encrypted symmetric key will be added in the API response as the encrypted_symmetric_key field. All other encrypted fields in the API response will start with the encrypted_ prefix.

  Decryption

  • The 3rd party will first decrypt the encrypted AES symmetric key using their RSA private key.