Three lines




Privileged and Confidential This endpoint design has been confidentially shared with you. It is still under development and is subject to change without notice. Please do not share this document or API endpoint details with anyone who is not authorized to have access. For more information read about scopes.

All the Uber APIs follow OAuth2.0, an industry standard protocol for Authorization. For more details about this protocol, go here.

There are 2 modes of authorization used across rental platform’s API - Authorization code and client credentials. The APIs that expose/access information for a specific driver follow authorization code grant for authorization and other APIs follow client credentials grant.

OAuth using Authorization Code

This is used for actions on behalf of a User. This is used in cases where any data sharing is happening in the context of a user. E.g. user profile information, trips data, or saved location, etc. For using this authorization mode, the user needs to give a consent that s/he has no problem with this information sharing.

Rental companies will need to acquire the access_token for the corresponding driver to be able to call the endpoint that gives the driver information.

The steps for getting the access_token for a driver are defined below (assuming that you already have a developer application to play with. Otherwise, go back to here).

1. Register <REDIRECT_URI> and <PRIVACY_POLICY_URL> in the developer application

Skip this section and go to (2) if you are using a test application provided by Uber. All test applications use http://localhost for <REDIRECT_URI> and <PRIVACY_POLICY_URL>.

Rental company will need to expose 2 HTTP endpoints <REDIRECT_URI> and <PRIVACY_POLICY_URL>.

<REDIRECT_URI> After a driver completes the OAuth process, an HTTP redirect will be made to this URL with an authorization code. This code can be exchanged with the token exchange endpoint to get an access token corresponding to the driver.

This URL will be used to link the OAuth screen with the rental company’s data handling policy.

Both these endpoints need to be registered in the developer dashboard.

Note! - For testing the setup, you can also use http://localhost in place of both these URLs, but this should be changed to correct URLs before productionizing, otherwise OAuth redirect after driver consent will not work.

2. Authorization

First, the driver has to grant your app permission to access their data or do actions on their behalf. Uber provides an authorization page where drivers can securely sign in with their Uber username and password to grant permissions to your app. This authorization page is accessed through the authorization URL. To ensure that the driver grants permission to your app properly, supply query parameters to that URL as described below

Auth Endpoint<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&response_type=code&scope=<SCOPES>&state=<STATE>
Parameter Description
state An identifier the rental company can use to identify the driver for which the flow was triggered. This state will be passed back unaltered with the redirect.
clientID Client ID from the application registered on developer dashboard.
response_type Should be hard-coded as 'code'.

Space delimited list of grant scopes you would like to have permission to access on behalf of the driver. OAuth screen will show these scopes while asking for a driver’s consent.

Check the API reference for scope names.
redirect_uri URL where the redirect will happen after the OAuth flow is completed. If none is provided, the first URl from the developer dashboard’s application will be used.

After you’ve supplied the needed parameters, present this authorization URL as a link for the driver to visit. Usually, this link will say “Sign in with Uber”.

Login With Uber

When driver visits the authorization page, s/he will be taken through a couple of authorization steps to authorize your app.

Vehicle Solutions Consent
3. Receive redirect

Once the driver authenticates and authorizes your app, Uber will issue an HTTP 302 redirect to the redirect_uri passed in or the default when none is explicitly provided. On that redirect, you will receive a single-use authorization code which expires in 10 minutes.

GET https://<rental_company_base_uri>/redirect?code=<AUTHORIZATION_CODE>&state=<state>

4. Get an access token

Use the Token Exchange Endpoint to exchange this authorization code for an access_token which will allow you to make requests on behalf of the user. This access token can be used to call any API that shares the user related information.

Token Exchange Endpoint
curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=authorization_code' \
     -F 'redirect_uri=<REDIRECT_URI>' \
    "access_token": "<TOKEN>",
    "expires_in": 2592000,
    "token_type": "Bearer",
    "refresh_token": "<REFRESH_TOKEN>",

Note that there is a token expiry for this token (as specified by expires_in field) and then it needs to be refreshed using a refresh token (which expires in 1 year).

5. Using bearer tokens for making API calls

Pass the access_token returned in the previous step as a bearer token in the Authorization header.

curl -H 'Authorization: Bearer <TOKEN>' '\_url'

Refreshing and revoking tokens

Follow this link for details.

OAuth using authorization code overall flow

OAuth Authorization Code

OAuth using Client Credentials

This is used for actions on behalf of an application. It is primarily used for calling APIs that do not pass any Uber user data, e.g. our Rides API price and estimates endpoint, Eats Menu API, etc.

1. Getting access token

Using the client id, client secret, and scope names, you can generate the access token using the token exchange endpoint.

Token Exchange Endpoint -
Example Request
curl -F 'client_secret=<CLIENT_SECRET>' \
     -F 'client_id=<CLIENT_ID>' \
     -F 'grant_type=client_credentials' \

Example Response
    "access_token": "<TOKEN>",
    "expires_in": 2592000,
    "token_type": "Bearer",
    "refresh_token": "<REFRESH_TOKEN>",

The access_token is good for a limited period of time described by the expires_in field (in seconds).


© 2023 Uber Technologies Inc.