Authorization
All the Uber APIs follow OAuth2.0, an industry standard protocol for Authorization. For more details about this protocol, go here.
There are 2 modes of authorization used across rental platform’s API - Authorization code and client credentials. The APIs that expose/access information for a specific driver follow authorization code grant for authorization and other APIs follow client credentials grant.
¶ OAuth using Authorization Code
This is used for actions on behalf of a User. This is used in cases where any data sharing is happening in the context of a user. E.g. user profile information, trips data, or saved location, etc. For using this authorization mode, the user needs to give a consent that s/he has no problem with this information sharing.
Rental companies will need to acquire the access_token for the corresponding driver to be able to call the endpoint that gives the driver information.
The steps for getting the access_token for a driver are defined below (assuming that you already have a developer application to play with. Otherwise, go back to here).
¶ 1. Register <REDIRECT_URI> and <PRIVACY_POLICY_URL> in the developer application
Rental company will need to expose 2 HTTP endpoints <REDIRECT_URI> and <PRIVACY_POLICY_URL>.
<REDIRECT_URI> | After a driver completes the OAuth process, an HTTP redirect will be made to this URL with an authorization code. This code can be exchanged with the token exchange endpoint to get an access token corresponding to the driver. |
<PRIVACY_POLICY_URL> | This URL will be used to link the OAuth screen with the rental company’s data handling policy. |
Both these endpoints need to be registered in the developer dashboard.
¶ 2. Authorization
First, the driver has to grant your app permission to access their data or do actions on their behalf. Uber provides an authorization page where drivers can securely sign in with their Uber username and password to grant permissions to your app. This authorization page is accessed through the authorization URL. To ensure that the driver grants permission to your app properly, supply query parameters to that URL as described below
¶ Auth Endpoint
https://bonjour.uber.com/marketplace/vehicle-solutions-agreement?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&response_type=code&scope=<SCOPES>&state=<STATE>
Parameter | Description |
---|---|
state | An identifier the rental company can use to identify the driver for which the flow was triggered. This state will be passed back unaltered with the redirect. |
clientID | Client ID from the application registered on developer dashboard. |
response_type | Should be hard-coded as 'code'. |
scope | Space delimited list of grant scopes you would like to have permission to access on behalf of the driver. OAuth screen will show these scopes while asking for a driver’s consent. Check the API reference for scope names. |
redirect_uri | URL where the redirect will happen after the OAuth flow is completed. If none is provided, the first URl from the developer dashboard’s application will be used. |
After you’ve supplied the needed parameters, present this authorization URL as a link for the driver to visit. Usually, this link will say “Sign in with Uber”.
When driver visits the authorization page, s/he will be taken through a couple of authorization steps to authorize your app.
¶ 3. Receive redirect
Once the driver authenticates and authorizes your app, Uber will issue an HTTP 302 redirect to the redirect_uri passed in or the default when none is explicitly provided. On that redirect, you will receive a single-use authorization code which expires in 10 minutes.
GET https://<rental_company_base_uri>/redirect?code=<AUTHORIZATION_CODE>&state=<state>
¶ 4. Get an access token
Use the Token Exchange Endpoint to exchange this authorization code for an access_token which will allow you to make requests on behalf of the user. This access token can be used to call any API that shares the user related information.
¶ Token Exchange Endpoint
https://auth.uber.com/oauth/v2/token
¶ Request
curl -F 'client_secret=<CLIENT_SECRET>' \
-F 'client_id=<CLIENT_ID>' \
-F 'grant_type=authorization_code' \
-F 'redirect_uri=<REDIRECT_URI>' \
-F 'code=AUTHORIZATION_CODE_FROM_STEP_2' \
https://auth.uber.com/oauth/v2/token
¶ Response
{
"access_token": "<TOKEN>",
"expires_in": 2592000,
"token_type": "Bearer",
"refresh_token": "<REFRESH_TOKEN>",
"scope": "SCOPES_PASSED_EARLIER_FOR_OAUTH"
}
Note that there is a token expiry for this token (as specified by expires_in field) and then it needs to be refreshed using a refresh token (which expires in 1 year).
¶ 5. Using bearer tokens for making API calls
Pass the access_token returned in the previous step as a bearer token in the Authorization header.
curl -H 'Authorization: Bearer <TOKEN>' 'https://api.uber.com/resource\_url'
¶ Refreshing and revoking tokens
Follow this link for details.
¶ OAuth using authorization code overall flow
¶ OAuth using Client Credentials
This is used for actions on behalf of an application. It is primarily used for calling APIs that do not pass any Uber user data, e.g. our Rides API price and estimates endpoint, Eats Menu API, etc.
¶ 1. Getting access token
Using the client id, client secret, and scope names, you can generate the access token using the token exchange endpoint.
Token Exchange Endpoint - https://auth.uber.com/oauth/v2/token
¶ Example Request
curl -F 'client_secret=<CLIENT_SECRET>' \
-F 'client_id=<CLIENT_ID>' \
-F 'grant_type=client_credentials' \
-F 'scope=<SPACE_DELIMITED_LIST_OF_SCOPES>' \
https://auth.uber.com/oauth/v2/token
¶ Example Response
{
"access_token": "<TOKEN>",
"expires_in": 2592000,
"token_type": "Bearer",
"refresh_token": "<REFRESH_TOKEN>",
"scope": "SCOPES_PASSED_EARLIER_FOR_OAUTH"
}
The access_token is good for a limited period of time described by the expires_in field (in seconds).