Authentication overview

Authentication for Grab's APIs is primarily managed through the OAuth 2.0 framework, specifically utilizing the Client Credentials Grant type for server-to-server interactions. This method is designed to secure API access for applications that operate on behalf of themselves rather than individual end-users. For specific use cases, such as certain payment integrations or public-facing APIs, API keys may also be employed. The overall goal of Grab's authentication system is to ensure that all API requests originate from legitimate, authorized applications, thereby protecting data privacy and service integrity.

Before any API requests can be successfully made to Grab's platform, an application must obtain valid credentials and present them in each request. These credentials typically involve a Client ID and Client Secret, which are unique identifiers for your application. The authentication process involves exchanging these credentials for an access token, which is then used to authorize subsequent API calls. This token-based approach provides a robust and secure mechanism for controlling access to Grab's extensive suite of APIs, including those for Transport, Food, Express, and Pay, as detailed in the Grab developer documentation.

Supported authentication methods

Grab primarily supports OAuth 2.0 with the Client Credentials Grant type for most server-side API integrations. This method is suitable for applications that need to access Grab's APIs without direct user interaction, such as backend services automating delivery requests or integrating payment processing. For client-side applications or specific public APIs, API keys might be used as a simpler authentication mechanism, though generally with more limited permissions or for non-sensitive operations.

The table below summarizes the common authentication methods supported by Grab's API platform:

Method When to Use Security Level
OAuth 2.0 (Client Credentials Grant) Server-to-server communication, backend services, integrations without end-user involvement. High: uses short-lived access tokens, secrets managed on the server. Adheres to industry-standard OAuth 2.0 specification.
API Keys Client-side applications for non-sensitive data, public data access, or specific product integrations where OAuth is not required. Medium: requires secure storage and transmission. Vulnerable if exposed in client-side code without proper precautions.

OAuth 2.0 is an industry-standard protocol for authorization that allows applications to obtain limited access to user accounts or services on an HTTP service, such as Grab, without exposing user passwords. The Client Credentials Grant type is specifically designed for confidential clients that can authenticate securely with the authorization server. This means your application exchanges its `client_id` and `client_secret` for an access token directly with Grab's authorization server. This access token is then included in the 'Authorization' header of subsequent API requests, typically in the format Bearer <ACCESS_TOKEN>.

Getting your credentials

To begin integrating with Grab's APIs, you must first register your application and obtain the necessary authentication credentials. This process typically involves several steps within the Grab Developer Portal:

  1. Create a Grab Developer Account: If you don't already have one, sign up for a developer account on the Grab platform.
  2. Register a New Application: Within your developer dashboard, you will find an option to register a new application. During this process, you will provide details about your application, such as its name, description, and potentially its intended use cases.
  3. Obtain Client ID and Client Secret: Upon successful registration, Grab will generate a unique Client ID and Client Secret for your application. The Client ID is a public identifier for your application, while the Client Secret is a confidential key that must be kept secure. These are crucial for the OAuth 2.0 Client Credentials Grant flow.
  4. Generate API Keys (if applicable): For certain specific Grab APIs or functionalities, you might need to generate dedicated API keys. The developer portal will guide you through this process if required for your integration. These keys should also be treated with the same level of confidentiality as your Client Secret.
  5. Configure Redirect URIs (for user-facing OAuth flows, if applicable): While the Client Credentials Grant doesn't typically involve user redirects, if your application later expands to include user-facing authentication (e.g., if Grab were to implement an Authorization Code Grant for user login), you would need to configure appropriate redirect URIs in your application settings. For the Client Credentials Grant, this step is generally not required.

It is critical to store your Client Secret and any API keys securely. They should never be hardcoded into client-side code, exposed in public repositories, or transmitted insecurely. Treat them as you would a password for critical systems.

Authenticated request example

This example demonstrates how to obtain an OAuth 2.0 access token using the Client Credentials Grant and then use that token to make an authenticated request to a hypothetical Grab API endpoint. This process involves two main steps: first, making a request to Grab's token endpoint to exchange your Client ID and Client Secret for an access token, and second, using that access token in the Authorization header of your actual API call.

Step 1: Obtain an Access Token

You would send a POST request to Grab's token endpoint, typically with Content-Type: application/x-www-form-urlencoded. Replace YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with your actual credentials.

curl -X POST \ "https://api.grab.com/oauth/v1/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

A successful response would include an access_token and its expires_in duration (in seconds):

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "grab.transport grab.food"
}

Step 2: Make an Authenticated API Request

Once you have the access_token, you can include it in the Authorization header of your subsequent API calls. The token should be prefixed with Bearer.

curl -X GET \ "https://api.grab.com/transport/v1/rides/products" \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \ -H "Content-Type: application/json"

This request would retrieve a list of available ride products, demonstrating the use of the previously obtained access token to authorize the API call. Always ensure your access tokens are refreshed before they expire, using the same Client Credentials Grant flow.

Security best practices

Implementing strong security practices is paramount when integrating with Grab's APIs to protect sensitive data and maintain the integrity of your application and Grab's services. Adhering to these guidelines will help mitigate common security risks:

  • Secure Storage of Credentials: Your Client Secret and API keys are sensitive. Never hardcode them directly into your client-side application code, especially if it's publicly accessible (e.g., JavaScript in a browser). For server-side applications, store credentials in environment variables, secure configuration files, or a dedicated secret management service, rather than directly in your codebase. Utilize security best practices like those outlined in the AWS Secrets Manager best practices for managing secrets.
  • Environment Variables: For server-side applications, use environment variables to store sensitive credentials. This prevents them from being checked into version control systems and makes it easier to manage different credentials for development, staging, and production environments.
  • Do Not Expose Keys in Client-Side Code: If your application involves client-side JavaScript, avoid directly embedding API keys or secrets that grant access to sensitive operations or data. If a key is required client-side, ensure it has severely restricted permissions and consider using a proxy server to mediate requests to sensitive APIs, adding an extra layer of security.
  • HTTPS Everywhere: Always ensure all communication with Grab's API endpoints uses HTTPS. This encrypts data in transit, protecting your credentials and sensitive data from interception. Modern API integrations should never use unencrypted HTTP for transmitting authentication details or API requests.
  • Regular Key Rotation: Periodically rotate your Client Secrets and API keys. This practice minimizes the window of opportunity for an attacker if a key is compromised. The Grab Developer Portal typically provides functionality to regenerate new credentials.
  • Least Privilege Principle: Grant your application only the minimum necessary permissions required to perform its intended functions. If an API key is only needed to read public data, do not grant it write permissions or access to sensitive user information. Review and adjust permissions as your application's needs evolve.
  • Error Handling and Logging: Implement robust error handling for authentication failures. Avoid logging sensitive information like actual Client Secrets or access tokens in plaintext in your application logs. Log only enough information to diagnose issues without exposing credentials.
  • Monitor API Usage: Regularly monitor your API usage for any suspicious activity or unexpected request patterns. Abnormal spikes in usage or requests from unusual locations could indicate a compromised key or malicious activity.
  • Keep SDKs and Dependencies Updated: If you are using Grab's SDKs (JavaScript, Android, iOS) or other third-party libraries for networking and security, ensure they are always kept up-to-date. Updates often include critical security patches.