Unified access to UTE Mueve API
This is the dashboard for the public bridge to movilidadelectrica.ute.com.uy/api/v2. It handles the anonymous JWT lifecycle internally, validates Uruguayan CIs with the check-digit algorithm, and exposes a typed REST surface with interactive docs.
Quick access
Interactive map
Preview with OpenStreetMap + Leaflet, live filters, and code snippet in TS/JS/cURL/Python.
API Reference
Browse endpoints with real sanitized examples, Zod schemas, and inline "Try it". Rendered with Scalar.
OpenAPI 3.1 Spec
JSON generated live from the Zod schemas. Ready for code generators.
Status check
Performs a real round-trip to UTE (token + GET configuration). Returns OK, latency, and cache backend.
Health
Simple liveness, does not touch upstream. Useful for Vercel/load-balancer health checks.
Security report
12 findings from the static APK analysis, including critical IDOR F-05.
VR-001 β Critical IDOR
Formal disclosure report: with an anonymous token and an 8-digit Uruguayan CI, PII and partial credit-card data are exposed.
Station search parameters
All parameters are optional and accept arrays. Without parameters, the search returns all available stations. The Value column shows the codes accepted by the SDK and the /stations/search and GET /stations?... endpoints. The bridge internally translates these to UTE's verbose strings.
connectorTypes β physical connector type
Charger plug standard. Your vehicle determines which one you can use.
"Tipo 2" | European three-phase AC (Mennekes). Slow/medium charge at home or public AC stations. |
"CCS2" | European combined DC fast. Dominant standard for modern cars in Uruguay. |
"CHAdeMO" | Japanese DC fast (Nissan Leaf, etc.). Limited compatibility. |
"GB/T" | Chinese DC fast. Mostly present in Asian fleets (BYD, etc.). |
statuses β connector state right now
Status reported by the station. The search defaults to ['available'].
"available" | Available: free to start a charge. |
"charging" | Charging: currently in use. |
"no-comm" | No communication: station not reporting to the server. |
"unavailable" | Unavailable: out of service. |
paymentTypes β accepted payment methods
How the charge session is authenticated at the station.
"rfid" | UTE RFID card (physical card tapped against the reader). |
"app" | Mobile app (UTE Mueve / QR code / remote charge). |
cables β cable provisioning
Whether the station provides its own cable or you bring one.
"with" | With cable: the station provides one (faster to plug in). |
"without" | Without cable: you have to plug in your own (typical AC Type 2). |
networks β charging network operator
Operator or "network" the station belongs to. Tariff and app vary by network.
"PUBLIC" | Public: UTE's own network, accessible to everyone. |
"TAXI" | Taxi: network dedicated to electric taxi fleet. |
"DMC" | DMC: external operator (EMSP). Roaming. |
"ONE" | eOne: external operator (EMSP). Roaming. |
powers β power in kW
Filter by charger power. Pass an array of numbers.
[0] | Any power (default if not specified). |
[60] | Only 60 kW fast chargers. |
[22, 50, 60] | Any of 22, 50, or 60 kW. |
Defaults without parameters: all categories selected except statuses, which is restricted to ['available']. This replicates the "Show available" behavior of the UTE Mueve app.
Available endpoints 18 routes
| Method | Path | Description | Tags |
|---|---|---|---|
| GET | /configuration/appversion | Minimum supported app version | Configuration |
| POST | /stations/search | Friendly search with enums (CCS2, available, PUBLICβ¦) | Stations |
| GET | /stations?types=CCS2&statuses=available | Search via query string (shareable URL) | Stations |
| GET | /stations/available | Shortcut: all stations available right now | Stations |
| POST | /station/statusFiltered | Verbatim UTE body (power-user) | Stations Advanced |
| POST | /station/renewEnergy | Renewable energy in a date range | Stations |
| GET | /customer/card/{userId} | Registered customer cards | Customer |
| POST | /customer/card/register | Register a card (gated) | Customer Writes |
| POST | /customer/card/unregister | Unregister a card (gated) | Customer Writes |
| GET | /card/{userId} | Customer's UTE-issued cards | Cards |
| POST | /card/accounts | Look up an account by CI or document | Accounts |
| GET | /network/{userId} | Networks enabled for the customer | Networks |
| GET | /remotecharge/user/{userId} | Customer charge history | Remote Charge |
| GET | /remotecharge/transaction/{transactionId} | Detail of a charge transaction | Remote Charge |
| POST | /remotecharge/connector/status | Live connector status | Remote Charge |
| POST | /remotecharge/start | Start a remote charge (gated) | Remote Charge Writes |
| POST | /remotecharge/stop | Stop a remote charge (gated) | Remote Charge Writes |
| POST | /notification/register | Register FCM token (gated) | Notifications Writes |
Endpoints tagged Writes require ENABLE_WRITE_ENDPOINTS=true at deployment. They return 503 WRITES_DISABLED by default.
Use from TypeScript
SDK @ute-mueve/sdk
Isomorphic client, zero runtime dependencies, ESM + CJS.
import { UteMueveClient } from '@ute-mueve/sdk';
// Direct mode (Node.js) β SDK talks to UTE directly,
// handles the anonymous JWT and uniquekeyuser for you.
const client = new UteMueveClient();
// Browser? Use the bridge to bypass CORS:
// const client = new UteMueveClient({ baseUrl: 'https://ute-mueve.vercel.app' });
// All stations available right now
const open = await client.stations.available();
// Friendly filters
const ccs2 = await client.stations.search({
connectorTypes: ['CCS2', 'CHAdeMO'],
statuses: ['available'],
networks: ['PUBLIC'],
});
// Within 5 km of Plaza Independencia (Haversine client-side)
const nearby = await client.stations.near({
lat: -34.9061, lng: -56.1990, radiusMeters: 5000,
});cURL
The bridge injects the token; the client only sends JSON.
# Live round-trip to UTE
curl https://ute-mueve.vercel.app/status
# Friendly search
curl -X POST https://ute-mueve.vercel.app/stations/search \
-H 'content-type: application/json' \
-d '{"connectorTypes":["CCS2","CHAdeMO"],"statuses":["available"],"networks":["PUBLIC"]}'
# Search via GET (shareable URL)
curl 'https://ute-mueve.vercel.app/stations?types=CCS2,CHAdeMO&statuses=available&networks=PUBLIC'
# Lookup by Uruguayan CI
curl -X POST https://ute-mueve.vercel.app/card/accounts \
-H 'content-type: application/json' \
-d '{"docType":"CI","docNumber":"12345672","onlyUte":false}'Security notice
β οΈ Critical IDOR in the upstream API
UTE's anonymous JWT is not bound to a user. An attacker with internet access and a valid Uruguayan CI can read first/last name, BIN + last 4 of the linked credit card, expiration month/year, brand, and Mercado Pago payerCardId. Full detail: VR-001 Report. Extended technical notice: SECURITY.md.