Step Two POST Request to the Token Endpoint
The application sends a POST request to the token endpoint. The request must include client credentials in the HTTP authorization request header and the required parameters in the request body. At the end of this step, the access token and refresh token are granted.
The format of the URL is:
https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token
where <accountID> is your NetSuite account ID.
Request Parameters for Step Two
Request Parameter |
Description |
---|---|
code |
The code parameter value obtained in Step One. |
redirect_uri |
The value of the redirect_uri parameter must match the value entered in the corresponding integration record and the value in the request in Step One. |
grant_type |
The value of the grant_type parameter in Step Two is |
code_verifier |
The value of the code_verifier must match the value generated in Step One. If the values do not match, HTTP 400 Bad Response error is returned. For more information, see https://tools.ietf.org/html/rfc7636, sections 4.5 and 4.6. |
Be aware of the following requirements for the request:
-
Request parameters must be encoded based on the HTML specification for the
application/x-www-form-urlencoded
media type. For more information, see URL Specification 5.1 -
The client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is clientid:clientsecret. The string value is Base64 encoded. The following code provides an example.
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded
code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code&code_verifier=abFOm_isZAwm7PpI9BtJRMEuiMqhU6sUqZlVWSsAAf1QutgIOD~on78mu-JdpbKc_RA7IEcf2e~q0XrKlJ1tE.8Un64PXLKQG16G4lwW-a5de_0aeU2mHnyVPg.Or8cE
If you use public clients you can choose from the following options:
-
The HTTP authorization request header does not contain the Authorization. Additionally, the PKCE parameters and the client_id parameter are included in the body of the request, or
-
The HTTP authorization request header contains only the client_id in the Authorization. The PKCE parameters are included in the body of the request.
The following code provides an example of the HTTP authorization request with the PKCE parameters and the client_id
parameter included in the body of the request:
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Content-Type: application/x-www-form-urlencoded
code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code%client_id=6794a3086e4f61a120350d01b8527aed3631472ef33412212495be65a8fc8d4c&code_verifier=XG2JcZ.I5_67es~Pev0ZbWSPlOklZJq-KPNaFInKuzgGQV4AWt5taWLDnD4IAsnJW_hl9iPQdQcv9~xGSY.qTiB99HA2rfm8cUwlfrzBY0j3bK4XPx-gLhoV1MF1JCC2
The following code provides an example of the HTTP authorization request with the client_id
parameter included in the Authorization. The PKCE parameters are included in the body of the request:
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0Yzo=
Content-Type: application/x-www-form-urlencoded
code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code%code_verifier=XG2JcZ.I5_67es~Pev0ZbWSPlOklZJq-KPNaFInKuzgGQV4AWt5taWLDnD4IAsnJW_hl9iPQdQcv9~xGSY.qTiB99HA2rfm8cUwlfrzBY0j3bK4XPx-gLhoV1MF1JCC2
HTTP Response for Step Two
JSON Response Fields |
Description |
---|---|
access_token |
The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes. |
refresh_token |
The value of the refresh_token parameter is in JSON JWT format. The refresh token is valid for seven days.
Important:
If you use public clients for OAuth 2.0, the refresh token is only valid for three hours and is for one-time use only. |
expires_in |
The value of the expires_in parameter is always |
token_type |
The value of the token_type parameter is always |
id_token |
This parameter is a part of OAuth 2.0, but it is used only in the NetSuite as OIDC Provider feature flow. You do not need to configure the token_id parameter as a part of the OAuth 2.0 feature flow. For more information, see Step Two POST Request to the Token Endpoint. |
The following is an example of a response in JSON JWT format:
{"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExMDcxMjU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuYS41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4xNjExMDY3NjU1MzU5In0.TVpquJSRujxyZpp9ydnkfQFy8fq2eTRIt-7mA6B9nGvftEQ2pJCu-15qfxYoe6iKU1JEpOhuvA-MAzdI-TvM1ndHT37VRdpcEa3R_kdZuDIT5hAS0G5VRVOQVF6bseHTKm4HIe0bFy8vCIaS6utQ46crF0LnQK_bxYXsQz8nFEwGlk4mOmsKje5ZB_0vzXpHEuYh9sBFdwxhMNUO3P_tFiAF0f0oXXJzAzYTEjA9pH_tr1ymGFoLWCIfKiR1RUavvVVGeL-jiQdZSRNr5cQj4Nz8iixn9bR2R1rEtcoXBzAJ2pSVU9yimLe2bPmzxBggJr839PDUP4IlKwkvzMUoLw","refresh_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExNjcyNDU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuci41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4wIn0.BbSQ86Phg6CKLMJ9gJQurs1NK6niSxFzF2EBFT--KFysI2AV9S1llZgxsRNIrMXsDioaepdWsGzrKepJXq25t5Sr7f-jBwTLK9g9SkFAvvEFsVJCYbdA4_BNZkHKlCC-1mA_yFNZWBYPdfCMGDX39iIDd7LVkaj-oPjpnuRnnK1ntNzxHx0coJiXwj3KfOI0PK7xfG1zbVSW14XOlatWbi80MY0ZQCgF41nFs-Rv-a7r-b51mMrm6kKZx-0MXfKRYT60H3gPXCk2QzkKovKy3kBVjajbtVPNS2tF_SbFNWOXJrn4MFzvnnDy0qsxT_Ijy3S5LTgk4YLrlwKv_XoE7A","expires_in":"3600","token_type":"bearer"}
The access token and refresh token are Base64 encoded. For more information, see RFC 7519.
After the access token and refresh token are granted, the integration is auto-installed in the account. If the integration fails to auto-install, check the State field in the corresponding integration record. Go to Setup > Integration > Manage Integrations, and click the name of the record. The value of the State field must be Enabled to auto-install the integration successfully.
The integration record should be auto-installed when the access token is granted, if the Require Approval During Auto-installation of Integration box is not checked on the SOAP Web Services Preferences page. If this box is checked, you must clear it to successfully auto-install integrations.
You must change the state manually if an access token was granted for the integration record before the box was cleared. To change the state manually, go to Setup > Integration > Manage Integrations, click the name of the corresponding integration record, and change the State field value to Enabled.