Uber Pay API (1.4)

Uber Pay is currently invite only for payment service providers and payment partners.

Get in touch to register your interest in using our APIs and we’ll reach out as soon as possible.

Introduction to Uber Pay

Uber is an ever-growing ecosystem of products and services for people around the world. We want to empower people to pay and get paid with their preferred payment method.

If you are a Payment Service Provider (PSP) or payment partner, you can now integrate with Uber by leveraging Uber Pay APIs.

Use Cases

By building a single API integration with Uber Pay, you will be able to:

  • Enable millions of consumers to pay for their ride with Uber or their order on Uber Eats.
  • Enable your customers to load money into the Uber ecosystem right from your app or website, thereby increasing customer engagement.
  • Enable Uber delivery partners (drivers, couriers, etc) to settle their outstanding arrears using their preferred payment method.
  • Provide Uber delivery partners the flexibility to receive payments through their preferred digital wallets.
  • Convert loyalty programs points (such as credits or airline miles) into Uber Cash, our stored credits which consumers can spend on rides and Eats orders.
  • Feature your payment instruments as an official payment method on Uber.

How it works

Uber Pay is both:

  • A specification: a set of endpoints for PSPs to build and expose for the integration to work correctly
  • An API: a set of functionalities exposed by Uber for partners to leverage

When you integrate with Uber Pay, you will need to implement a few endpoints on your end for Uber apps to call and initiate the correct flow (e.g. payment method onboarding, money movement, refund, etc).

Uber Pay defines two sets of APIs for PSP Partners to implement:

1. Partner Payment API

Allows Uber to initiate payment transactions, check transaction statuses, initiate refunds and query payment method balance.

API Description
Charge Initiate money movement
Capture Capture payment on an authorized charge
Cancel Cancel an authorized charge
Find Transaction Retrieve the current status of a transaction from Partner's system
Init Refund Initiate customer refund
Get Balance Get payment instrument's available balance

2. Partner Payout API

Allows Uber to create payouts.

API Description
Payout Create a payout

3. Payment Method Onboarding (Partner OAuth2 API)

Payment method onboarding (via oAuth 2.0 protocol) is available and recommended for improving both the user experience and conversion rate at checkout.

When Partner OAuth2 API integration is not an option, Uber Pay offers the possibility to use a 2FA experience leveraging a webview provided by PSP Partner to authorize the payment every time during checkout.

API Description
Authorize Authorization web page for users to grant Uber access
Create Token OAuth 2 endpoint allowing creation of access and refresh tokens

FAQs

We already have an API, can’t Uber integrate with it directly?

Uber does integrate directly with Partner’s API, though our engineering teams can only work on so many integrations every year. One of the reasons Uber Pay was born is to allow for Partners to join the Uber ecosystem quickly and more independently.

How flexible is the Uber Pay API?

The Uber Pay integration model standardizes the flow of data between Uber and PSPs. Working with many partners, we have designed our APIs to allow for some flexibility. As a rule of thumb, though, Uber will not be able to adjust said data flows and structures to fit a PSP’s existing infrastructure and/or APIs.

How often will I need to update my integration?

As the Uber Pay APIs evolve, new capabilities will be added that may require changes on the PSP’s end. We will always prioritize supporting backward compatibility. If a breaking change will be needed, we will give ample notice, and do our best to minimize the impact of the work on your end to implement the required changes.

How long does it take to launch a new payment method via Uber Pay?

The bulk of the work will revolve around the PSP building the necessary endpoints following the Uber Pay specification. Once those are in place, and we have validated the integration works, launching a payment method is usually a matter of adding some configurations, testing the flow, and following a gradual rollout plan. Once the first payment method goes live, any subsequent ones will take significantly less.

Onboarding

In order to start using the APIs you need to complete the following phases:

Sign up on the developer portal

  1. Visit Uber’s developer portal
  2. Click "Sign In"
  3. Create an Uber account that you will use for developer access.
    • You will need a mobile phone number and a password to create an account.
    • We recommend partners not to use personal account or information.
  4. Once you are in the developer portal dashboard, create an app by clicking "+ new app".
  5. Note down the client ID of the app. It’s an identifier (not secret or password) to recognize your app. You will use this ID to configure your account.

Account configuration

After you sign up, Uber Pay will configure your newly created app. For us to do so, you’ll need to provide the following:

  1. Client ID - From the app that you generated in the previous step.
  2. Base URL - Base URL of your Uber Pay implementation. Uber Pay will build absolute URLs by concatenating this base URL you provide with relative paths of the endpoints defined in this spec. For instance /charge endpoint will be called ${BASE_URL}/charge.

Payment method configuration

In addition to your account, Uber Pay will configure and share the following attributes:

  1. Funding method code - We assign a code for each payment method you support.
  2. Source account ID - This ID is an internal Uber reference to the Partner's settlement account. Typically there will be multiple of these IDs depending on the number of countries in which you operate. You are expected to generate one reconciliation report per source account ID.

Authentication

Signature validation

All requests from Uberpay shall have a signature header which is a RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. Example below shows how a charge request from Uber looks like:

curl -X POST \
https://uber.partner.com/v1/payments/charge \
-H 'Accept-Language: pt-BR' \
-H 'Date: Sat, 08 Jun 2019 20:51:35 GMT' \
-H 'Digest: SHA-256=XLnQeHxHWlOkXmqcQaS57rSVfDBUTSUFRpvqZfLxBU0=' \
-H 'Signature: keyId="rsa-key", algorithm="rsa-sha256",
headers="(request-target) host date digest",
signature="dMpg9QKPxwP5l8O6Q7OFC2vNPoJucKga1WKbvPfMY52pi20Hti/mk017OicAuYRfpH9rBsq/6g2wK0m1qqgVNY0UUvIGIrMJd9ii55YacTL/4HAv5CLPFcSDWqFUsA0W8HvvlEk6YgVD052obT6KS0Zd3qJfRJ+qS7KHkSLKAw8="'
-H 'X-Idempotency-Key: c900d4dd-7070-4e0b-9323-8f24cfde0490' \
-H 'Content-Type: application/json' \
-d "{\"destination\": {\"owner_id\": \"dest_owner_id\",\"id\": \"dest_id\",\"type\": \"Account\"},\"source\": {\"owner_id\": \"source_owner_id\",\"id\": \"source_id\",\"type\": \"Account\"},\"amount\": {\"value\": 100000,\"currency\": \"BRL\"},\"description\": \"I'm a deposit in sandbox.\",\"country_iso2\": \"BR\",\"funding_method\": \"BOLETO\",\"initiated_at\": \"2019-06-08T20:51:35Z\",\"session_id\": \"8b31b7f4-3542-4391-817c-d496ce84a7ae\",\"return_url\": \"uber:\/\/payments\/deposit?correlation_id=c900d4dd-7070-4e0b-9323-8f24cfde0490\",\"destination_owner\": {\"type\": \"Customer\",\"id\": \"a66b36d5-887c-4e7c-9edb-9fcbef108e83\",\"uri\": \"\/\/payments\/customers\/a66b36d5-887c-4e7c-9edb-9fcbef108e83\",\"details\": {\"mobile\": \"+123456788\",\"firstname\": \"John\",\"lastname\": \"Doe\"}},\"payment_data\": [{\"type\": \"meal_voucher_payment_data\",\"meal_voucher_merchant_id\": \"15678\"}],\"capture_method\": \"AUTOMATIC\"}"

You can test your requests before you send them to Uber with the OpenSSL cmd-line. For example:

openssl dgst -sha256 -verify {PUBLIC_KEY_FILE} -signature {SIGNATURE_FILE} {DECODED_HEADERS_FILE}
  1. PUBLIC_KEY_FILE: Public key file
  2. SIGNATURE_FILE: File containing only the signature of the header, base64 decoded. For the above example, this file contains the result of the command.

For example, the SIGNATURE_FILE looks like this:

echo dMpg9QKPxwP5l8O6Q7OFC2vNPoJucKga1WKbvPfMY52pi20Hti/mk017OicAuYRfpH9rBsq/6g2wK0m1qqgVNY0UUvIGIrMJd9ii55YacTL/4HAv5CLPFcSDWqFUsA0W8HvvlEk6YgVD052obT6KS0Zd3qJfRJ+qS7KHkSLKAw8= | base64 -D
  1. DECODED_HEADERS_FILE: File containing headers that are being used to form the signature text, for the example above the file looks like this:
(request-target): post /v1/payments/charge
host: uber.partner.com
date: Sat, 08 Jun 2019 20:51:35 GMT
digest: SHA-256=XLnQeHxHWlOkXmqcQaS57rSVfDBUTSUFRpvqZfLxBU0=

Note that for the openssl validation command to work, do not provide a line ending character at the end of DECODED_HEADERS_FILE or SIGNATURE_FILE.

You should only include :{PORT} in case of non-standard ports for the given scheme as we show in the example above. For example, since port 443 is the default port for the https scheme, we don’t include it in the resulting host header text in the above example with URL https://uber.partner.com/v1/payments/charge. If the URL is https://uber.partner.com:9443/v1/payments/charge, then you should provide the host header with uber.partner.com:9443.

We perform signature validation based on the order of the header items are important for the signature validation. Therefore, you should provide it as (request-target), host, date, digest.

You shall receive a public key via email or any of our designated communication channels.

Partner Payment API

Partner Payment API contains the payment endpoints that the PSP Partner needs to implement in order to integrate with Uber Pay system.

Charge

Charge API allows Uber Pay to initiate money movement with PSP Partners.
A charge can be used to either authorize a payment and capture it later, or to capture it immediately without an authorization step.

  • If partner can process the payment request immediately, partner should respond with either CONFIRMED or REJECTED state and with a psp_reference. In case of a REJECTED transaction, partner should indicate the reason in state.detail.
  • If partner cannot process the payment request immediately, partner should respond with PENDING state. Partner should call the chargeCallback endpoint once payment is processed. See the callbacks section below.
  • If payment requires user input to proceed, partner can respond with a WebViewUserInputAction in response actions. State must be PENDING and WebViewUserInputAction must include a URL for user authorization. Partner should call the chargeCallback endpoint once the payment is processed. See the callbacks section below.
  • If capture_method is AUTOMATIC, partner automatically captures funds when the user authorizes the payment. Processing can happen either synchronously or asynchronously.
  • If capture_method is MANUAL, partner must process the payment request immediately.
    In case of a CONFIRMED response state, charge will move to AUTHORIZED state. Partner must then wait for Uber's capture call for moving funds.
    In case of a REJECTED response state, charge will move to REJECTED state. A charge in AUTHORIZED state will move to CANCELLED state if is cancelled explicitly, or if it expires after 72h.

For the partners who support Partner OAuth2 API, API requests include OAuth2 access token in Authorization header.

Authorizations:
(partner-oauth2uberpay-http-signature-auth) uberpay-http-signature-auth
header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Accept-Language
required
string

User-preferred language as a BCP 47 code, for example en-GB or pt-BR

X-Idempotency-Key
required
string (IdempotencyKey)

This header must be treated as the idempotency key. When multiple requests with the same X-Idempotency-Key header occur, the partner implementation MUST only fulfil one of the requests. If the request succeeds or results in a non-retryable error (e.g. 400), all subsequent retries should return the same response. If the request results in a retryable error (e.g. 500), the next request should be processed normally.

Request Body schema: application/json
required
any (Authorization)

The type of authorization associated with this money movement.

All future types are guaranteed to have a type field.

id
required
string

Transaction id generated by Uber Pay.

session_id
string
Deprecated

Uber’s client session id such as web session or mobile session.

required
object (SourceAccount)

Source account is an internal Uber reference for Partner's settlement account

required
object (DestinationAccount)

Destination account identifying an Uber customer.

required
object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

description
required
string (TransactionDescription) <= 256 characters ^[A-Za-z0-9-_ ]*$

Alphanumeric characters and _, -. Up to 256 chars.

country_iso2
required
string

The country in which this transaction is being created. In ISO3166 format.

funding_method
required
string

The payment method to use

initiated_at
required
string <date-time>

Transaction initiation time in ISO 8601 format.

return_url
required
string

The URL to which to redirect the user agent at the end of the flow, in case a user input action is needed. It may be an HTTPs scheme or a mobile deep link.

capture_method
required
string
Enum: "AUTOMATIC" "MANUAL"
  • AUTOMATIC: (default) partner automatically captures funds when user authorizes the payment
  • MANUAL: partner tries to authorize the payment but waits for Uber's capture call for moving funds
object (AccountOwner)

Details about the owner of the destination account. Contains information you need to complete payment for the funding method and country in the request.

Array of MealVoucherPaymentData (object) or PointConversionPaymentData (object) or OrderPaymentData (object) (PaymentDataArray)

Additional payment data for specific use cases.

All PaymentData objects are guaranteed to have a type field.

For "Meal Voucher" balance requests there will be one object with type equals to meal_voucher_payment_data.

Responses

Response Schema: application/json
required
object (ChargeState)

Status of the money movement request. If the partner implementation:

  • Can process the money movement request immediately (Synchronous), the response must be either CONFIRMED or REJECTED.
  • Cannot process the money movement request immediately (Asynchronous), the response must be PENDING. Meaning the partner acknowledges the request and the processing will happen asynchronously.
merchant_reference
string
Deprecated

Payment transaction reference ID on partner side. Use psp_reference instead.

psp_reference
string

Payment transaction reference ID on partner side.

object
Deprecated

Additional metadata about the transaction. String key-value pairs.

Array of WebViewUserInputAction (object) (Actions)

If an action is needed on the Uber side. For example, if a user input is needed, include a WebViewUserInputAction while setting the state.value value to PENDING.

All Action types are guaranteed to have a type field.

Callbacks

Request samples

Content type
application/json
{
  • "authorization": {
    },
  • "id": "string",
  • "session_id": "string",
  • "source": {},
  • "destination": {},
  • "amount": {
    },
  • "description": "string",
  • "country_iso2": "string",
  • "funding_method": "string",
  • "initiated_at": "2019-08-24T14:15:22Z",
  • "return_url": "string",
  • "capture_method": "AUTOMATIC",
  • "destination_owner": {
    },
  • "payment_data": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "state": {
    },
  • "psp_reference": "345s6df5678sdf"
}

Callback payload samples

Callback
Content type
application/json
{
  • "state": {
    },
  • "psp_reference": "string"
}

Capture

Capture API allows Uber Pay to capture payment on a previously authorized charge.

  • A successful capture will move the charge from AUTHORIZED to CONFIRMED state. An unsuccessful capture will move the charge to REJECTED state.

For the partners who support Partner OAuth2 API, API requests include OAuth2 access token in Authorization header.

Authorizations:
(partner-oauth2uberpay-http-signature-auth) uberpay-http-signature-auth
path Parameters
id
string

Transaction id generated by Uber Pay in charge step.

header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Accept-Language
required
string

User-preferred language as a BCP 47 code, for example en-GB or pt-BR

X-Idempotency-Key
required
string (IdempotencyKey)

This header must be treated as the idempotency key. When multiple requests with the same X-Idempotency-Key header occur, the partner implementation MUST only fulfil one of the requests. If the request succeeds or results in a non-retryable error (e.g. 400), all subsequent retries should return the same response. If the request results in a retryable error (e.g. 500), the next request should be processed normally.

Request Body schema: application/json
psp_reference
string

Transaction id generated by Partner during charge.

required
object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

Responses

Request samples

Content type
application/json
{
  • "psp_reference": "string",
  • "amount_to_capture": {
    }
}

Response samples

Content type
application/json
{
  • "detail": "EXCEEDS_CAPTURE_LIMIT",
  • "error_description": "string"
}

Cancel

Cancel API allows Uber Pay to cancel a previously authorized charge.

  • A successful cancel call moves charge to CANCELLED state.

For the partners who support Partner OAuth2 API, API requests include OAuth2 access token in Authorization header.

Authorizations:
(partner-oauth2uberpay-http-signature-auth) uberpay-http-signature-auth
path Parameters
id
string

Transaction id generated by Uber Pay in charge step.

header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Accept-Language
required
string

User-preferred language as a BCP 47 code, for example en-GB or pt-BR

X-Idempotency-Key
required
string (IdempotencyKey)

This header must be treated as the idempotency key. When multiple requests with the same X-Idempotency-Key header occur, the partner implementation MUST only fulfil one of the requests. If the request succeeds or results in a non-retryable error (e.g. 400), all subsequent retries should return the same response. If the request results in a retryable error (e.g. 500), the next request should be processed normally.

Request Body schema: application/json
psp_reference
string

Transaction id generated by Partner during charge.

Responses

Request samples

Content type
application/json
{
  • "psp_reference": "string"
}

Response samples

Content type
application/json
{
  • "detail": "VALIDATION_ERROR",
  • "error_description": "string"
}

Find Transaction

Retrieve the current status of a transaction (charge or refund) from the Partner's system.

Authorizations:
uberpay-http-signature-auth
query Parameters
id
required
string

Transaction id generated by Uber Pay. For refunds it will be refund ID.

merchant_reference
string

Transaction reference in Partner’s system. This field is populated whenever it is present in our system. In some cases, e.g. charge/refund request timed out and we weren't able to retrieve merchant_reference, this field is not present.

header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Responses

Response Schema: application/json
id
required
string

Original Uber transaction id

merchant_reference
required
string

Original transaction reference in Partner’s system.

status
required
string
Enum: "PENDING" "CONFIRMED" "REJECTED" "AUTHORIZED"
  • PENDING: payment still in progress
  • CONFIRMED: payment confirmed
  • AUTHORIZED: payment is authorized but not yet captured
  • REJECTED: payment rejected
confirmed_at
string <date-time>

Payment confirmed date time in Partner’s system with ISO 8601 format. This field must be present if the status is SUCCEEDED.

object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

Request samples

curl -X GET \
  https://uber.partner.com/v1/payments/find-transaction?id=cGdfMGE3OTA1OTItYTIyNi0zY2EyLWFjZjEtNzE0YTAwMzAxMmQz \
  -H 'Date: Sat, 08 Jun 2019 20:51:35 GMT' \
  -H 'Digest: SHA-256=FkJ3miKx7I099a8n7q3Kmn7P8/dFS1Ebx5POQd185PM=' \
  -H 'Signature: keyId="rsa-key", algorithm="rsa-sha256", \
    headers="(request-target) host date digest", \
    signature="INCLUDED_SIGNATURE"'

Response samples

Content type
application/json
{
  • "id": "cGdfMGE3OTA1OTItYTIyNi0zY2EyLWFjZjEtNzE0YTAwMzAxMmQz",
  • "merchant_reference": "599f4164-4417-4361-9d11-1d9d8b4b9096",
  • "status": "SUCCEEDED",
  • "confirmed_at": "2020-04-11T12:00:00Z"
}

Init Refund

Uber Pay calls this API to initiate a customer refund. Partner can

  • Issue the refund immediately and respond with SUCCEEDED or FAILED status.
  • Partners can acknowledge refund request with PENDING status and call Uber Pay's updateRefund callback API.

For the partners who support Partner OAuth2 API, API requests include OAuth2 access token in Authorization header.

Authorizations:
(partner-oauth2uberpay-http-signature-auth) uberpay-http-signature-auth
header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

X-Idempotency-Key
required
string (IdempotencyKey)

This header must be treated as the idempotency key. When multiple requests with the same X-Idempotency-Key header occur, the partner implementation MUST only fulfil one of the requests. If the request succeeds or results in a non-retryable error (e.g. 400), all subsequent retries should return the same response. If the request results in a retryable error (e.g. 500), the next request should be processed normally.

Request Body schema: application/json
id
required
string

Refund ID

original_transaction_id
required
string

Original transaction ID in Uber system

original_merchant_reference
required
string

Original transaction reference in a Partner’s system

required
object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

description
string (TransactionDescription) <= 256 characters ^[A-Za-z0-9-_ ]*$

Alphanumeric characters and _, -. Up to 256 chars.

order_refund_data
string

Item-level refund related data for the order for the same transaction in the /charge request. Will be only populated if /charge had PaymentData.OrderPaymentData populated.

Responses

Response Schema: application/json
status
required
string
Enum: "CONFIRMED" "PENDING" "REJECTED"
  • PENDING: refund still in progress, should be confirmed/rejected by callback
  • CONFIRMED: refund confirmed
  • REJECTED: refund rejected
merchant_reference
required
string

Refund transaction reference in Partner’s system

failed_reason
string

Use only for failed refunds

Callbacks

Request samples

Content type
application/json
{
  • "id": "string",
  • "original_transaction_id": "string",
  • "original_merchant_reference": "string",
  • "amount": {
    },
  • "description": "string",
  • "order_refund_data": "string"
}

Response samples

Content type
application/json
Example
{
  • "status": "SUCCEEDED",
  • "merchant_reference": "ref123"
}

Callback payload samples

Callback
POST: Update refund
Content type
application/json
{
  • "status": "CONFIRMED",
  • "merchant_reference": "string",
  • "failed_reason": "string"
}

Get Balance

Get payment instrument's available balance.

Authorizations:
(partner-oauth2uberpay-http-signature-auth)
header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Request Body schema: application/json
account_id
required
string

Corresponds to the account_id in the AuthorizedAccount received during token negotiation.

funding_method
required
string

Payment method code

Array of MealVoucherPaymentData (object) or PointConversionPaymentData (object) or OrderPaymentData (object) (PaymentDataArray)

Additional payment data for specific use cases.

All PaymentData objects are guaranteed to have a type field.

For "Meal Voucher" balance requests there will be one object with type equals to meal_voucher_payment_data.

Responses

Response Schema: application/json
required
object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

Array of objects (ItemizedBalance)

An array of all the balances with type. These balances represent individual balances per wallet or purse, if a partner supports multiple purses.

Each entry corresponds to a different balance, and must have a unique display_name.

Request samples

Content type
application/json
{
  • "account_id": "string",
  • "funding_method": "string",
  • "payment_data": [
    ]
}

Response samples

Content type
application/json
Example
{
  • "available_balance": {
    }
}

Partner Payout API

Partner Payout API contains the payout endpoints that the PSP Partner needs to implement in order to integrate with Uber Pay system.

Payout

Payout API allows Uber Pay to create a payout with PSP Partners.

  • A successful payout request will move the payout to either CONFIRMED or PENDING state.
    • If the Partner cannot process the payout immediately, the Partner should respond with PENDING state. The partner should then use Finalize payout endpoint once the payout is processed. See the callbacks section below.
    • If the Partner can process the payout immediately, the Partner should respond with CONFIRMED state.
  • An unsuccessful payout request will move the payout to REJECTED state.
Authorizations:
uberpay-http-signature-auth
header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Accept-Language
required
string

User-preferred language as a BCP 47 code, for example en-GB or pt-BR

X-Idempotency-Key
required
string (IdempotencyKey)

This header must be treated as the idempotency key. When multiple requests with the same X-Idempotency-Key header occur, the partner implementation MUST only fulfil one of the requests. If the request succeeds or results in a non-retryable error (e.g. 400), all subsequent retries should return the same response. If the request results in a retryable error (e.g. 500), the next request should be processed normally.

Request Body schema: application/json
id
required
string

Transaction ID generated by Uber Pay.

required
object (PayerAccount)

Payer account is an internal Uber reference for Partner's settlement account

required
object (CurrencyAmount)

Value of currency, ISO4217. The value is in E5 format. For example, 10 BRL is: {"value": 1000000, "currency": "BRL"}.

description
required
string (TransactionDescription) <= 256 characters ^[A-Za-z0-9-_ ]*$

Alphanumeric characters and _, -. Up to 256 chars.

country_iso2
required
string

The country in which the payout is being created in ISO3166 format.

funding_method
required
string

The payment method to use.

initiated_at
required
string <date-time>

Payout initiation time in ISO 8601 format.

required
object (Payee)

Payee information. Contains information required to process the payout.

Responses

Response Schema: application/json
required
object (PayoutState)

Status of the payout. If the Partner implementation:

  • Can process the payout immediately (Synchronous), the response must be CONFIRMED.
  • Cannot process the payout request immediately (Asynchronous), the response must be PENDING. Indicating the Partner acknowledges the request and the processing will happen asynchronously.
psp_reference
required
string

Transaction reference ID in Partner’s system.

Callbacks

Request samples

Content type
application/json
{
  • "id": "string",
  • "payer": {},
  • "amount": {
    },
  • "description": "string",
  • "country_iso2": "string",
  • "funding_method": "string",
  • "initiated_at": "2019-08-24T14:15:22Z",
  • "payee": {
    }
}

Response samples

Content type
application/json
Example
{
  • "state": {
    },
  • "psp_reference": "345s6df5678sdf"
}

Callback payload samples

Callback
POST: Finalize payout
Content type
application/json
{
  • "state": {
    },
  • "psp_reference": "string"
}

Partner OAuth2 API

Partner OAuth2 API contains standard RFC6749 OAuth2 endpoints Uber Pay Partner needs to implement.

Authorize

Note: This endpoint is a Partner provided web-page (not a json endpoint) for OAuth2 Authorization requests

See: RFC6749 Section 3.1

The Partner provided authorization endpoint is used to interact with the resource owner(user) and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.

Authorization Code Response:

If the resource owner(user) grants the access request, Partner's authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format, per RFC6749 Appendix B:

  • code: The authorization code generated by Partner's authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. Uber Pay will not use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.

  • state: if the "state" parameter was present in the client authorization request. The exact value received from the client. An opaque value for authorization server. Uber Pay uses this to maintain state between /authorize call and authorization server initiated user-agent redirect.

Here is an example response, or redirect URI:

uber://ubercash_topup?code=ZmVmYmRlOGItNzZlOS00OWJkLTg3ZGUtN2IxMGI3MGIwNmU3&state=c29tZV9zdGF0ZQ==

Error Response:

If the resource owner(user) denied the authorization request, Partner's authorization server provides the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format, per RFC6749 Appendix B:

  • error: a single ASCII error code from the following list:

    • invalid_request - the the request is missing a parameter, contains an invalid parameter, includes a parameter more than once, or is otherwise invalid.
    • access_denied - the client or authorization server denied the request
    • unauthorized_client - the client is not allowed to request an authorization code using this method, for example if a confidential client attempts to use the implicit grant type.
    • unsupported_grant_type - the authorization server does not support obtaining an authorization code using this method, for example if the authorization server never implemented the implicit grant type.
    • invalid_scope - the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
    • server_error - instead of displaying a 500 Internal Server Error page to the client, the server can redirect with this error code.
    • temporarily_unavailable - if the authorization server is undergoing maintenance, or is otherwise unavailable, this error code can be returned instead of responding with a 503 Service Unavailable status code.
  • error_description: human-readable text providing additional information, used to assist Uber Pay in understanding the error that occurred. Encoded as ASCII.

  • error_uri: a URI identifying a human-readable web page with information about the error, used to provide Uber Pay with additional information about the error. Values for the "error_uri" parameter MUST conform to the URI-reference syntax.

  • state: if the "state" parameter was present in the client authorization request. The exact value received from the client. An opaque value for authorization server. Uber Pay uses this to maintain state between /authorize call and authorization server initiated user-agent redirect.

Here is an example response, or redirect URI:

com.ubercab://uber_pay_authorization_success?error=access_denied&state=eyJtZXJjaGFudElkIjoiOGJkZmEwZTQtOWVlMC00M2E5LWEzN2EtNjAzNjYxOTdkNzE2IiwiZGV2aWNlU2Vzc2lvbklkIjoiRjI0MEM1QjAtNTE3Qi00NEZGLUI3RkEtNUZFRjc3Q0YzRDMzIn0%3D
query Parameters
client_id
required
string

The client id issued by Partner to Uber Pay

response_type
required
string
Value: "code"
redirect_uri
required
string
Example: redirect_uri=uber://ubercash_topup/example

Partner redirects user-agent to this redirect_uri once authorization is completed at partner's end.

  • redirect_uri must not be manipulated in any way.
  • redirect_uri can be an https web uri as well as a mobile deep link.
  • redirect_uri we discourage allowlisting redirect_uri as it may change.
scope
required
string

A list of space-delimited, case-sensitive strings. See RFC6749 Section 3.3. Available scopes:

  • charge
  • get_balance
  • offline_access
  • refund
state
required
string

An opaque value for Partner. Uber Pay uses this to maintain state between /authorize call and Partner initiated user-agent redirect.

required
Array of objects (AuthorizationDetail)

JSON string representation of an array of AuthorizationDetail objects. Uber provides additional metadata for the authorization.

See OAuth 2.0 Rich Authorization Requests.

Create Token

OAuth 2 token endpoint as described in RFC6749 Section 3.2. The token endpoint provides:

  1. Obtaining refresh_token by providing authorization_code. Uber Pay gets authorization code at the end of authorization flow (when partner redirects user at the end of GET /authorize flow). Refresh tokens are expected to have longer validity period.
  2. Obtaining access_token by providing refresh_token. Uber Pay exchanges long-lived refresh_token it holds with a short-lived access_token.

In case of an invalid_grant error, Uber Pay re-initiates authorization flow.

Authorizations:
uberpay-http-signature-auth
header Parameters
Content-Type
required
string

The Content-Type header should always be set to application/json.

Date
required
string

Date in GMT as per RFC7231 Section 7.1.1.1

Digest
required
string

Cryptographic hash of the request body as per RFC3230 using SHA256 algorithm. See also RFC5843.

Signature
required
string

RSA signature of request-target, Date and Digest headers as per Draft Cavage HTTP Signatures. Section 4.1.1. See uberpay-http-signature-auth.

Request Body schema: application/json
One of
client_id
required
string

Client ID provided by Partner to Uber Pay

client_secret
required
string

Client secret providede by Partner to Uber Pay. See RFC6749 Section 2.3.1.

grant_type
required
string
Value: "authorization_code"

Use authorization_code for requests which send authorization code and receive refresh_token.

code
required
string

Authorization code. Uber Pay receives uses the authorization code obtained at the end of authorization flow.

redirect_uri
required
string

Identical to the redirect_uri which was used in authorization flow.

Responses

Response Schema: application/json
One of
refresh_token
required
string

Refresh token used to obtain access token. Partner implementation must not permit use of this token in other endpoints (charge, refund etc.)

See RFC6749 Section 1.5

token_type
required
string
Value: "bearer"
scope
string

Authorized scope according to the requested scopes in earlier GET /authorize request.

required
Array of objects (AuthorizedAccount)
expires_in
string

Time before expiration in seconds

Request samples

Content type
application/json
Example
{
  • "client_id": "string",
  • "client_secret": "string",
  • "grant_type": "authorization_code",
  • "code": "string",
  • "redirect_uri": "string"
}

Response samples

Content type
application/json
Example
{
  • "refresh_token": "string",
  • "token_type": "bearer",
  • "scope": "string",
  • "authorization_details": [
    ],
  • "expires_in": "string"
}

Settlement Integration

As part of the integration with Uber Pay, Uber's partners need to be onboarded to Uber's settlement platform for an automatic reconciliation process.

What you need to do before the launch

As part of the integration, we ask you to set up an SFTP folder and safely share its credentials with Uber.

As payments go through your systems, you will generate and place settlement files following an agreed upon format on a given cadence (e.g. weekly).

Once granted access, Uber's systems will be able to automatically fetch the files and ingest them into the settlement platform.