Log in to the UPS Developer Portal and create a new app; the portal now issues a client_id and client_secret instead of an access key
Replace the three-part legacy auth header (AccessLicenseNumber, UserId, Password) with a Bearer token obtained via POST /security/v1/oauth/token using client_credentials grant
Update the base URL for all API calls from the legacy onlinetools.ups.com host to onlinetools.ups.com/api (REST) paths as documented in the migration guide
Retest each API surface (Rating, Shipping, Tracking, Pickup) with the new token; the request/response body schemas are largely unchanged but auth errors now return HTTP 401 with a specific error code
Implement token refresh logic: store expiry from expires_in, refresh before expiry rather than on 401 to avoid failed requests mid-workflow
Update monitoring to alert on auth failures separately from shipping failures so credential rotation issues surface quickly
Known gotchas
The legacy AccessLicenseNumber-based auth was deprecated in 2024; any integration still using it will receive auth errors without a grace period extension
Client credentials grant does not carry a user identity; if your workflow required per-user UPS accounts, you must now manage multiple app credentials or use the authorization code flow
UPS rate limits are enforced per client_id; if you previously had multiple API keys mapped to the same account, consolidating them raises the risk of hitting a single app's rate cap
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp