In 2023, the global average data breach cost rose to $4.45 million. EasyPost and UPS are updating the UPS integration to OAuth 2.0 to enhance security and API capabilities, aligning with new carrier requirements and improving user data protection.
Functionality
What is OAuth 2.0?
Okta's standard authorization protocol allows applications to act on a user’s behalf without sharing password details. It is widely used in “Sign in with Google” scenarios.
User Benefits
Offers simplified logins and secure accounts by authorizing access without direct credentials. Users can seamlessly connect their UPS shipper account to EasyPost, eliminating the need to enter credentials manually.
EasyPost Default UPS Account
No action is required. EasyPost manages the transition to OAuth 2.0 for users utilizing the EasyPost Default UPS account.
EasyPost managed the transition of existing UPS accounts to OAuth 2.0 using a bridge solution before the June 3, 2024 deadline. This includes, but is not limited to, UTM accounts, UPS Mail Innovations, UPS Worldwide Economy,⌵ and UPS SurePost. Customers whose accounts have not yet been reauthorized are required to complete the reauthorization process.
Account Authorization
To authorize accounts using the EasyPost Dashboard, complete the authorization process before August 5, 2024.
Log in to EasyPost and navigate to Account Settings.
Select the Carriers tab.
Locate the UPS account and select Authorize.
Follow the UPS authorization page prompts.
Confirmation of Authorization Complete will be displayed.
When logging in to a UPS account via the EasyPost dashboard, please ensure the correct login credentials associated with the UPS account are used.
Verify the UPS account number by selecting the edit function in the EasyPost dashboard, as demonstrated below:
Logging in with incorrect UPS account details will result in an error.
The UPS Account Number can also be found by logging into the UPS account and navigating to Profile > Payment Options.
Those unable to manage the UPS carrier account authorization through the EasyPost Dashboard should use the designated micro-site or create a personal UPS OAuth application.
Reauthenticate Button
If authorization issues persist, attempt to reauthenticate using the edit functionality within the EasyPost Dashboard. Should problems continue after reauthentication, contact support@easypost.com for further assistance.
For UPS users wishing to reauthorize accounts without a user interface.
Option for Non-UI Users
This option is for customers who prefer not to use a user interface but need to authorize their accounts. To reauthorize and create a new UPS account via the API, use the OAuth-compliant endpoint:
If issues arise with this endpoint, a new account may be generated through the EasyPost Dashboard. For further assistance, contact support@easypost.com. For additional guidance, refer to the sample requests and response below.
The “partner_oauth_url” value is the link to the EasyPost Partner OAuth Portal microsite that will facilitate the OAuth validation flow for the Carrier Account.
EasyPost Carrier Account ID (if authorizing an existing account)
Account Descriptions (for new accounts – to distinguish the account for reporting purposes)
Reference ID (for new accounts – to distinguish the account for reporting purposes)
The UPS account user will receive a link to enable the OAuth process.
The link will direct the user to the UPS login for OAuth sign-in.
The Easypost backend will validate the information and store the access token upon successful authentication.
For users who will bring their own UPS OAuth Application.
Bring Your Own UPS OAuth Application
For customers who have created their own UPS OAuth application, EasyPost requires the Client_ID and Secret_Key obtained after creating the application. EasyPost will store the OAuth credentials and complete the OAuth process. See Getting Started with UPS APIs for more information.
UPS OAuth Application Setup
To ensure compliance with UPS OAuth requirements:
Contact a UPS representative to request an invitation to create a UPS OAuth application. If unavailable, contact an EasyPost Customer Success Manager for assistance.
Accept the invitation via the UPS developer portal.
Provide the UPS accounts associated with the UPS Ready account(s) to the UPS contact. Consult an EasyPost Customer Success Manager for assistance in identifying these accounts.
Notify the Customer Success Manager once the OAuth application is operational to receive further guidance and the endpoint changes necessary for full connectivity. Additional documentation on subsequent steps will be provided.
User Instructions for End-Users of EasyPost Customers with Self-Created UPS OAuth Applications
These instructions are intended for end-users who access UPS services through our customers' platforms. The process described below must be completed via our customer’s platform, not directly through EasyPost. End-users must follow these steps on the respective customer’s platform to authenticate their UPS accounts effectively.
Authentication Path for UPS Accounts
Users log into the platform.
Users are directed to a page containing the UPS Lasso Login link.
Users select the UPS Lasso Login link or button and are presented with a UPS login.
Upon successfully entering credentials, UPS will call the platform's newly created backend API.
Success Case: The platform calls the newly created EasyPost Platform Registration API, where EasyPost manages the authentication and refresh tokens.
Failure Case: An error message explains why the UPS login was unsuccessful, and users are redirected back to the Losso login page.
Request
API Key: Current API Key used to authorize with the EasyPost API.
Test: When using the UPS Test API, set this parameter to True; by default, it is set to False.
Carrier Account Public ID: Created within the EasyPost platform.
Account Number: The UPS Carrier Account Number
Client ID: Provided by UPS during the OAuth application creation process.
Secret Key: Provided by UPS during the OAuth application creation process.
Refresh Token: Provided by UPS during the OAuth lasso login response.
Should the error “Invalid Authentication Information” appear, it indicates that the UPS account requires reauthentication. Verify that the correct username and password for the UPS account are being used during the UPS OAuth process.
Invalid Refresh Token
The “Invalid Refresh Token” error necessitates reauthenticating the UPS account to re-initiate the UPS OAuth flow. It may occur due to:
A discrepancy between the login credentials used for UPS.com and those on file with EasyPost.
The user being blocked by UPS after too many invalid login attempts.
The account remaining inactive for 18 months, leading to UPS deactivating it.
UPS also has the error "invalid/Missing Refresh Token." The UPS OAuth team is currently working to ensure the error returned is a more consistent experience, but users should follow the process of reauthorizing their accounts.
Access Token Not Approved
The "Access Token Not Approved" error typically relates to user actions, not token issues. Possible reasons include:
Account deletion by the account holder, preventing authentication using that profile.
Password changes, necessitating reauthorization of the UPS account with the new password.
Blocking by UPS due to detection of transactions considered malicious. In such cases, contact UPS directly for resolution.
Rating Errors
Encountering public rates instead of account-specific rates requires steps to reauthenticate the UPS account to re-initiate the UPS OAuth flow. This ensures the account rates are properly applied.
Account Authorization Errors
If an error stating, ‘’The account number provided is not associated with the UPS login and password you are trying to authorize’’ is encountered, it may be necessary to add the EasyPost account to the Accounts and Payment options in the UPS account.
Navigate to ups.com and log in with the credentials linked to the attempted EasyPost authorization.
Click on the User icon in the upper right corner (blue circle with the letter ‘R’), then select Accounts and Payment. This displays a list of account numbers currently authenticated in the profile. Note: If the account number that needs authentication through EasyPost is not listed, add it as a payment method.
Use the Add a Payment Method drop-down option to Add Existing Account.
Input the account number, assign a nickname, and select the country associated with the account.
Choose one of two methods for authentication:
Invoice Verification: Provide details from one of the three most recent billing invoices, including the invoice number, dollar amount, invoice date, and control ID.
PIN Verification: A PIN will be sent to the email associated with the account for verification.
After authenticating the account, proceed with EasyPost authentication.
Tokens expire every 60 days; EasyPost refreshes them 10 days before expiration.
What happens if token refresh fails?
EasyPost notifies users of any refresh issues and will take appropriate action.
How can accounts be created after June 3, 2024?
As of June 3, 2024, accounts can still be created through the EasyPost dashboard. However, a new endpoint must be implemented to generate OAuth-compliant accounts through the API. See UPS OAuth Application Setup above.
Can a UPS CampusShip account be authorized?
No, a UPS CampusShip account cannot be authorized through the new OAuth process, please work with a UPS Account representative to create a new account.
What does it mean when the OAuth status shows as failed or approved?
If the OAuth status shows failed, the OAuth lasso-login flow needs to be completed. If the OAuth status shows approved, it means the account lasso login has been successfully completed.
Self-Managed Accounts
Users are responsible for token storage and refresh. For details on refreshing tokens, please visit the UPS Developer Portal.
Does the UPS lasso login expire?
The lasso login does not expire.
Do I have to re-auth if I change my UPS password on UPS.com?
Yes, re-auth is required when the UPS account password on UPS.com is changed. Errors such as 'Invalid/Missing Refresh Token' may be experienced until the re-auth is completed.