UPS Developer APIs (REST + OAuth 2.0)

UPS Developer APIs are the modern UPS surface for shipping, rating, tracking, time-in-transit, and address validation. They use REST with JSON bodies and OAuth 2.0 for authentication. UPS sunset its legacy XML and SOAP web services on 2024-06-03; integrators that still see references to UPS XML must migrate to this REST surface to avoid scheduled-failure outages. Authentication uses the OAuth 2.0 client_credentials grant. Cache the access token centrally, refresh with a buffer before expiry, and ensure only one refresh runs concurrently across workers — uncoordinated refreshes will rate-limit the UPS token endpoint and widen any auth incident. Authorization Code grant is also supported for partner integrations that act on behalf of an end-user account. The sandbox endpoint (`wwwcie.ups.com`) returns deterministic test data for many tracking and rate flows, but negotiated rates and account-specific surcharges are typically only correct in production. Treat the sandbox as a contract test, not a rate-accuracy test. Webhooks for tracking events are delivered through UPS Quantum View Notify; signature validation must run against the raw request body before parsing. When migrating from the legacy XML/SOAP surface, expect rate response shapes, tracking-event vocabularies, and error codes to change. The migration is not a one-line endpoint swap; treat it as a contract migration with parallel running and explicit cutover.