Step One Obtain An Unauthorized Request Token

The application sends a POST request to the request token endpoint. Include the necessary parameters in the authorization header.

The format of the URL is:

https://<accountID>.restlets.api.netsuite.com/rest/requesttoken

where <accountID> is a variable for your NetSuite account ID.

Note:

You should use the account-specific domain URL as shown. However, as of 2020.1, if you do not know the account ID, requests can be sent to the system.netsuite.com domain.

See the following header for details.

Request Header Parameters in the Authorization Header for Step One

OAuth Authorization Header Parameter	Description
oauth_consumer_key	Identifies the client. (The service attempting to access the resource.) The value of the consumer key is provided when the integration record is created.
oauth_signature_method	Only HMAC-SHA256 is supported.
oauth_signature	Constructed signature (consumer secret to be used during signing) For more information about constructing a signature, see Constructing the Signature for Step One of the TBA Authorization Flow. See also Specifications for Signature Construction for the TBA Authorization Flow.
oauth_timestamp	Number of seconds passed since 1st January 1970 00:00:00 GMT Must be a positive integer Should be equal to or greater than any timestamp passed in previous requests
oauth_nonce	Generated random string. Nonce must be at least six characters long. An ideal nonce length is 20 characters. Must be unique for all requests with the same timestamp.
oauth_version	Optional. If present, value must be `1.0`.
oauth_callback	An absolute URL, to which a redirect with a verification code will be performed. The callback URL should match the callback URL in the corresponding integration record. As of 2020.1, the callback URL supports multiple ports on a localhost (`http://localhost:`). This is the only case where use of the asterisk () character is permitted.
realm	NetSuite account ID (company identifier). Note: As of 2020.1, the realm parameter is no longer required for this step.
role	Optional. Indicates the role for which to grant the access token.

OAuth Authorization Header Parameter

Description

oauth_consumer_key

Identifies the client. (The service attempting to access the resource.)
The value of the consumer key is provided when the integration record is created.

oauth_signature_method

Only HMAC-SHA256 is supported.

oauth_signature

Constructed signature (consumer secret to be used during signing)

For more information about constructing a signature, see Constructing the Signature for Step One of the TBA Authorization Flow. See also Specifications for Signature Construction for the TBA Authorization Flow.

oauth_timestamp

Number of seconds passed since 1st January 1970 00:00:00 GMT
Must be a positive integer
Should be equal to or greater than any timestamp passed in previous requests

oauth_nonce

Generated random string. Nonce must be at least six characters long. An ideal nonce length is 20 characters.
Must be unique for all requests with the same timestamp.

oauth_version

Optional.
If present, value must be 1.0.

oauth_callback

An absolute URL, to which a redirect with a verification code will be performed.
The callback URL should match the callback URL in the corresponding integration record.
As of 2020.1, the callback URL supports multiple ports on a localhost (http://localhost:*). This is the only case where use of the asterisk (*) character is permitted.

realm

NetSuite account ID (company identifier).

Note:
As of 2020.1, the realm parameter is no longer required for this step.

role

Optional.
Indicates the role for which to grant the access token.

Note:

Refer to RFC 5849 if you need more information about the parameters oauth_timestamp, oauth_nonce, and oauth_version.

The HTTP Response Parameters for Step One

When an authorization request is successfully verified, the following HTTP response is returned:

Response Parameter	Description
oauth_token	An unauthorized request token, which should be authorized by the application in Step Two of the flow.
oauth_token_secret	The corresponding token secret, to be used for signature creation in Step Three of the flow.
oauth_callback_confirmed	Response must be true, if the request verification was successful.
role	The role parameter is present in the response only if configured in the request.

Response Parameter

Description

oauth_token

An unauthorized request token, which should be authorized by the application in Step Two of the flow.

oauth_token_secret

The corresponding token secret, to be used for signature creation in Step Three of the flow.

oauth_callback_confirmed

Response must be true, if the request verification was successful.

role

The role parameter is present in the response only if configured in the request.

When you have the HTTP response, proceed to Step Two Authorize the Request Token.

Request Header Parameters in the Authorization Header for Step One

The HTTP Response Parameters for Step One

Related Topics