UPS package tracking API -- how to not expose password?

Question

It seems that sending this with every XML request is the only way to use the UPS Tracking API:

<?xml version="1.0" ?>
<AccessRequest xml:lang='en-US'> <AccessLicenseNumber>
YOURACCESSLICENSENUMBER
</AccessLicenseNumber> <UserId>
YOURUSERID
</UserId> <Password>
YOURPASSWORD
</Password> </AccessRequest>

So basically you can't use it in a desktop app, because your users would be able to find your password. And yes, I could run a backend on my own server, but that's needlessly complicated. Does UPS provide a sane way to authenticate without having to put a copy of the password in each copy of my app?

Answer 1

If you want to access UPS api directly, not through your own server then you can't. UPS has put the requirement for api key and password for a reason: to have some control how the api is used (and for example throttle requests for api key if necessary). Even if you decide you can live with giving strangers access to your api key and password it's quite likely it will get revoked (I'm pretty sure you are not allowed to share those). So using api is out of the question.

As an alternative you could try getting the tracking info using public tracking (no api) on their website, but you are likely to hit per IP request limits, csrf tokens etc and should the page change in any way you are screwed. Not a good idea.

Simple app or not you'll have to run part of it on your server.