Using Your Own OCI Configuration for SuiteScript Generative AI APIs

If your company needs more than the free monthly allocation of usage for the SuiteScript Generative AI APIs, you can configure NetSuite to use your own Oracle Cloud account with the OCI Generative AI Service. You can do this in two ways:

The ociConfig options in N/llm module methods let you pass your Oracle Cloud account credentials to the OCI Generative AI Service’s large language model (LLM).
The Settings subtab on the AI Preferences page lets you specify your Oracle Cloud account credentials when the Use OCI Configuration To Get Unlimited Usage box is checked. On the SuiteScript subtab, if the Use OCI Credentials for SuiteScript box is checked, these credentials are used when you call N/llm module methods in your scripts.

When you specify your own credentials, your scripts will not draw from the free usage pool in NetSuite for SuiteScript Generative AI APIs. Credentials that you pass using the ociConfig options in your scripts override those that you specify on the Settings subtab of the AI Preferences page.

Use these approaches when:

Your company needs more than the free monthly allocation of usage for SuiteScript Generative AI APIs.
You are building a SuiteApp, because SuiteApps installed to target accounts are prevented from using the free usage pool for SuiteScript Generative AI and must use the OCI configuration.

When using the unlimited use model through your company’s own Oracle Cloud account, your company pays for use of the Oracle Generative AI service. For more information, refer to the Calculating Cost in Generative AI section and the Billing and Cost Management section of the Oracle Cloud Infrastructure Documentation.

The sections in this topic provide instructions for using your own OCI configuration with the SuiteScript Generative AI APIs:

Step 1: Get an Oracle Cloud Account and Add the OCI Generative AI Service
Step 2: Get the OCI Configuration Details from Your Oracle Cloud Account
Step 3: Create NetSuite API Secrets for the OCI Private Key and Fingerprint
Step 4: Test OCI Configuration Parameters in Your Code

Step 1: Get an Oracle Cloud Account and Add the OCI Generative AI Service

If your company would like to use this option and does not yet have an Oracle Cloud account, refer to the Get an Oracle Cloud Account topic and the OCI Generative AI service topic Getting Access Using Policies in the Oracle Cloud Infrastructure Documentation.

After you have an Oracle Cloud account, add the OCI Generative AI Service. For instructions, refer to Getting Access to Generative AI and see the "Access to Generative AI Playground, Custom Models, Dedicated AI Clusters, and Endpoints" section for the policy to add.

Important:

When setting up Oracle Cloud Accounts and the OCI Generative AI service, be aware that SuiteScript Generative AI APIs only support the following:

NetSuite account locations: United States, Canada, the United Kingdom, Japan, the United Arab Emirates, and Australia and New Zealand
Models: Cohere Command R model (cohere.command-r-08-2024), Cohere Command R+model (cohere.command-r-plus-08-2024), and Meta Llama model (meta.llama-3.2-90b-vision-instruct)
OCI Gen AI Regions: UK South (London) or US Midwest (Chicago)

Step 2: Get the OCI Configuration Details from Your Oracle Cloud Account

Note:

Refer to the Oracle Cloud Infrastructure Documentation for the linked topics in the following list.

The necessary configuration details are:

User OCID: The user ID of the Oracle Cloud account to use in authentication for the service. For more information, refer to Managing Users.
Compartment OCID: The compartment ID of the Oracle Cloud account to use in authentication for the service. For more information, refer to Managing Compartments.
Tenancy OCID: The tenancy ID of the Oracle Cloud account to use in authentication for the service. For more information, refer to Managing the Tenancy.
Fingerprint: The OCI fingerprint of the public key to use in authentication for the service. For more information about the OCI fingerprint, refer to Required Keys and OCIDs.
Private Key: The private key of the OCI user in a file in PEM format (for example, oci_api_key.pem). The private key is used in authentication for the service. For more information about the private key of the OCI user, refer to Required Keys and OCIDs.
Endpoint ID: The endpoint ID of the dedicated AI cluster to be used by the API. Endpoint ID is only needed if you have set up a dedicated AI cluster through Oracle Cloud. For more information, refer to Hosting an Endpoint in Generative AI.

Step 3: Create NetSuite API Secrets for the OCI Private Key and Fingerprint

The following locations accept only NetSuite API secret values, which enhance security when running scripts:

The ociConfig.fingerprint and ociConfig.privateKey parameter values in N/llm methods
The API Secret for Fingerprint and API Secret for Private Key fields on the Settings subtab of the AI Preferences page

Therefore, you need to create NetSuite API secrets that contain the OCI fingerprint and OCI private key.

To create an API secret for the OCI fingerprint

As a user with an Administrator or Developer role, go to Setup > Company > Preferences > API Secrets. The API Secrets page is shown in a new browser tab.
Click Create New. The Create New Secret dialog is displayed.
On the Details tab:
1. For the ID, ensure that it starts with an underscore, because the system adds a prefix custsecret when you save.
  
  For example, if you enter _oci_config_fingerprint, then the ID will be custsecret_oci_config_fingerprint after you save.
2. Enter the OCI public key fingerprint value into the Password and Confirm Password fields.
Click the Restrictions tab and complete as follows:
1. If you are developing a SuiteApp, check the Available to SuiteApp box.
  - In the SuiteApp ID field, enter the SuiteApp that is allowed to reference the secret. You can specify only one SuiteApp.
  - In the Allow On Test Accounts field, enter account numbers that are allowed to reference the secret even if it is not included in a SuiteApp installed from the SuiteApp Marketplace. Separate multiple accounts with a comma.
2. In the Restrict to Scripts field, enter the script IDs that are allowed to reference the secret (that is, your scripts that use the N/llm module). Separate multiple script IDs with a comma.
3. Check the Allow for All Domains box.
Click Save. The newly created secret is displayed on the API Secrets page.
Go to the next procedure and create the API secret for the OCI private key.

To create an API secret for the OCI private key

Click Create New. The Create New Secret dialog is displayed.
On the Details tab:
1. For the ID, ensure that it starts with an underscore, because the system adds a prefix custsecret when you save. For example, if you enter _oci_config_privatekey, then the ID will be custsecret_oci_config_privatekey after you save.
2. Click Choose a file and upload the private key file.
Click the Restrictions tab and complete as follows:
1. If you are developing a SuiteApp, check the Available to SuiteApp box.
  - In the SuiteApp ID field, enter the SuiteApp that is allowed to reference the secret. You can specify only one SuiteApp.
  - In the Allow On Test Accounts field, enter account numbers that are allowed to reference the secret even if it is not included in a SuiteApp installed from the SuiteApp Marketplace. Separate multiple accounts with a comma.
2. In the Restrict to Scripts field, enter the script IDs that are allowed to reference the secret (that is, your scripts that use the N/llm module). Separate multiple script IDs with a comma.
3. Check the Allow for All Domains box.
Click Save. The newly created secret is displayed on the API Secrets page.
From the API Secrets page, copy the ID for each secret you created. Use these IDs in one of the following locations:
- The ociConfig.fingerprint and ociConfig.privateKey parameter values in your N/llm module code.
- The API Secret for Fingerprint and API Secret for Private Key fields on the Settings subtab of the AI Preferences page. If you choose this option, make sure that the Use OCI Credentials for SuiteScript box is checked on the SuiteScript subtab of the AI Preferences page.

Step 4: Test OCI Configuration Parameters in Your Code

Add the getRemainingFreeUsage method to two places in a script that uses the generateText or evaluatePrompt methods: one time before generateText or evaluatePrompt and one time after.

If you did not specify your OCI configuration parameters on the Settings subtab of the AI Preferences page, update your code to use the ociConfig parameters object.

If the configuration was correct, your script should run without errors, and you should see no change in the number returned by getRemainingFreeUsage.

If the configuration was not correct, a SuiteScript error will occur. Verify the following items:

Do the OCI configuration parameters contain the correct values for your Oracle Cloud account?
Were the NetSuite API Secret IDs entered correctly in your code or in the fields on the Settings subtab of the AI Preferences page? Do they match the secret IDs and not the secret names as shown on the API Secrets page?
On the API Secrets page in NetSuite, were the OCI fingerprint and OCI private key secrets created correctly?
If you are not using the ociConfig parameters object, is the Use OCI Credentials for SuiteScript box checked on the SuiteScript subtab of the AI Preferences page?

Fix any items that are incorrect and run the script again. You may need to repeat this step to resolve all configuration errors.