The Signature for Web Services and RESTlets
This section covers generating a valid signature. The examples shown are for SOAP web services, REST web services, and for RESTlets. The principle for constructing a signature is similar for the TBA authorization flow. The TBA authorization flow requires additional parameters that are not shown in the following examples. For more information about the required parameters, see The Three-Step TBA Authorization Flow.
The values defined in this section are the values used in The Authorization Headers and The RESTlet Base String sections.
Generate a Signature
As of 2023.1, the support ended for the HMAC-SHA1 signature method.
The following sections describes how to correctly create a signature and provides PHP examples for each step.
TBA uses percent encoding. For more information about percent encoding, go to (https://tools.ietf.org/html/rfc5849#section-3.6). The examples in this section use PHP rawurlencode.
Input Parameters for the Example
These are the input parameters used for this example.
$url = 'https://123456.restlets.api.netsuite.com/app/site/hosting/restlet.nl?script=6&deploy=1&customParam=someValue&testParam=someOtherValue';
//or https://123456.suitetalk.api.netsuite.com/services/NetSuitePort_2015_2 for webservices
//or https://123456.suitetalk.api.netsuite.com/services/rest/record/v1/employee/40 for REST web services
$httpMethod = 'POST'; //or $httpMethod = 'GET'; for REST Web Services
$tokenKey = '2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc';
$tokenSecret = 'c29a677df7d5439a458c063654187e3d678d73aca8e3c9d8bea1478a3eb0d295';
$consumerKey = 'ef40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4';
$consumerSecret = 'd26ad321a4b2f23b0741c8d38392ce01c3e23e109df6c96eac6d099e9ab9e8b5';
$signatureMethod = 'HMAC-SHA256';
$nonce = 'fjaLirsIcCGVZWzBX0pg'; //substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 20);
$timestamp = '1508242306'; //time();
$version = '1.0';
$realm = '123456'; //scompid
Step One Construct a Base String for the Signature
The first step in creating signature is constructing a Base String. This is the only step in generating a signature which is different for SOAP web services and RESTlets.
If you are constructing a signature for the TBA authorization flow, be aware of the following:
-
The token and oauth_verifier parameters required for the base string are not shown in the following examples. See The Three-Step TBA Authorization Flow for information about these parameters.
-
Except for the realm parameter, all parameters shown in the table in Request Header Parameters in the Authorization Header for Step One must be part of base string.
-
You can follow the RESTlets format as a guideline for constructing the base string, as RESTlets also follows the OAuth 1.0 specification.
SOAP Web Services
$baseString = rawurlencode($realm) ."&". rawurlencode($consumerKey) ."&". rawurlencode($tokenKey) ."&". rawurlencode($nonce) ."&". rawurlencode($timestamp);
SOAP Web Services Base String Example
For SOAP web services, the creation of the Base String creation is straightforward. Use percent encoding. Parameters include: realm (accountID, also called scompid), consumer key, token key, nonce, and timestamp, with the ampersand character (&) as the delimiter.
123456&ef40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4&2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc&fjaLirsIcCGVZWzBX0pg&1508242306
RESTlets
$baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $consumerKey,
'oauth_nonce' => $nonce,
'oauth_signature_method' => $signatureMethod,
'oauth_timestamp' => $timestamp,
'oauth_token' => $tokenKey,
'oauth_version' => $version));
RESTlets Base String Example
This RESTlets example uses the oauth library. For more information, see https://tools.ietf.org/html/rfc5849#section-3.4.1.
POST&https%3A%2F%2F123456.restlets.api.netsuite.com%2Fapp%2Fsite%2Fhosting%2Frestlet.nl&customParam%3DsomeValue%26deploy%3D1%26oauth_consumer_key%3Def40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4%26oauth_nonce%3DfjaLirsIcCGVZWzBX0pg%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1508242306%26oauth_token%3D2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc%26oauth_version%3D1.0%26script%3D6%26testParam%3DsomeOtherValue
REST Web Services
$baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $consumerKey,
'oauth_nonce' => $nonce,
'oauth_signature_method' => $signatureMethod,
'oauth_timestamp' => $timestamp,
'oauth_token' => $tokenKey,
'oauth_version' => $version));
REST Web Services Base String Example
This RESTlets example uses the oauth library. For more information, see https://tools.ietf.org/html/rfc5849#section-3.4.1.
GET&https%3A%2F%2F123456.suitetalk.api.netsuite.com%2Fservices%2Frest%2Frecord%2Fv1%2Femployee%2F40&oauth_consumer_key%3Def40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4%26oauth_nonce%3DfjaLirsIcCGVZWzBX0pg%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1508242306%26oauth_token%3D2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc%26oauth_version%3D1.0
Step Two Signature Key
The signature key is used to sign the base string in the HMAC-SHA algorithm. The key is constructed from the URL-encoded values for consumer secret and token secret, with the ampersand character (&) as the delimiter.
$key = rawurlencode($consumerSecret) .'&'. rawurlencode($tokenSecret);
Step Three Signature
The signature parameter is a base64 value of the HMAC-SHA, where the message is Base String and the value of the key parameter is the key from the previous step.
$signature = base64_encode(hash_hmac('sha256', $baseString, $key, true));
SOAP Web Services Signature
tIcC5zyKUmycB5Ml/cNxOHDusw03Y5KPQiXVNUHHp4U=
RESTlets Signature
KK4SKNgz4ZiILGLwOMtfYlgcXSy1eis8ldE9X90azQ=
REST Web Services Signature
B5OIWznZ2YP0OB7VrJrGkYsTh%2B8H%2B5T9Hag%2Bo92q0zY%3D