# 02 Authentication Audit

Source checked: Uber Eats "Authentication" section shared by you.

## Implemented Now

- OAuth endpoints aligned to `auth.uber.com` in environment defaults.
- Authorization URL default scope changed to `eats.pos_provisioning` (authorization_code flow use case).
- Added cached `client_credentials` token retrieval to reduce token churn.
- Added token request tracking and soft guard near rate limit (`100/hour`).
- Added domain pairing status endpoint:
  - `GET /api/v1/auth/uber/domain-pairing-status`
- Added auth capabilities endpoint listing grant types/scopes/rate metadata:
  - `GET /api/v1/auth/uber/capabilities`
- Updated proxy auth model:
  - default regular API calls use app-level `client_credentials` token
  - optional `authMode=merchant` for merchant OAuth token calls

## Existing From Earlier

- Authorization code callback exchange
- Merchant token refresh route
- Manual merchant connection storage

## Pending / Needs More Official Docs

- Exact endpoint-by-endpoint scope mapping table enforcement in code
- Full activation/provisioning flow routes (beyond auth callback)
- Token revocation handling if Uber publishes endpoint/process details