OAuth 2.0 Access and Refresh Token Structure
Both the access token and refresh token include three parts: a header, a payload, and a signature.
The token header includes the following parameters:
Parameter Name |
Description |
---|---|
kid |
The value of the kid parameter is the ID of the certificate used for signing the token. |
typ |
The value of the type parameter is |
alg |
The value of the alg parameter is |
The token payload includes the following parameters:
Parameter Name |
Description |
---|---|
sub |
The value of the sub parameter is the role and entity of the user, separated by a semicolon. For example, 1111;10. |
aud |
The value of the aud parameter is the Application ID of the integration record, and the company, separated by a semicolon. Additionally, the client ID is a part of the aud parameter, separated by a comma. For example, 1A111AA1–AA11–1A11–1111–A1A1111111A1;1111, 661131f7bf0a2f8a4d09c79d3fa961eab66102dca43e07ad47d3a29628ced67b. |
scope |
The value of the scope parameter is either |
iss |
The value of the iss parameter is |
oit |
The value of the oit parameter represents the number of seconds since the first token of the token chain was issued. This is only applicable for public clients. |
exp |
The value of the exp parameter represents the number of seconds since January 1, 1970, until the token’s expiration. |
iat |
The value of the iat parameter represents when the token was issued. The value of the parameter is in seconds, since January 1, 1970. |
jti |
The value of the jti parameter is the token ID, which is unique for every token. |
The following is an example of an access token in JSON JWT format:
{"access_token": "eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0MDMwMDU5OzA7Mzs3O04iLCJhdWQiOlsiOWE1MDY4YjFjNGU5OGU4Yjg1YzMwMmYyMjg2N2YzNTAyYTBmYzYwNzU4MDQwNzliNzYzZmExYzg2NzJiYTlkNCIsImFwcDoyNzBDNDQ3Ny1DNUY1LTRFMDQtQkNDMS1CMDMzRDk0QTlDMDgiXSwic2NvcGUiOlsicmVzdF93ZWJzZXJ2aWNlcyIsInJlc3RsZXRzIl0sImlzcyI6Imh0dHBzOlwvXC9ydW5ib3guY29ycC5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2Mjc5MDYzMzAsImV4cCI6MTYyNzkwOTkzMCwiaWF0IjoxNjI3OTA2MzMwLCJqdGkiOiJhLmMuZmI3ZDYzN2YtOTdjNC00Nzk0LTkyYWYtZTU2N2ZhYjc1ODRlLjE2Mjc5MDYzMzA1MDMuMTYyNzkwNjMzMDUwMyJ9.QjzADDeU2yN-6j-ol0fApgmleIn17HHD4bi06yBYpEpL5rBSbK3h11-GgU44Kc6ujQQQ3t4yr6IWBrtak5qLPWQmJE5-Ry_IvaxZRmPuB8rxI09_o4uXJE7oxpMreK4snYoIfH1Ph40Fq977MVVz9K-5pCTclOberX9dTTM3O0BnL6QNrf3lv3RA7J5LilceGAm4OV7OOoddn_fB6yeO0ZghVbJbRgI-tChqwdmWY42zhTeHjdG4K6ooA2IVcOm2GUFMhiFT2I00ZLZ-dYBPYkfRDn2Fvbn8V8GN1biQ6_u6j07k0XSq1Mv-WN-saH7rTKaA1gkX4IFwIHzN7eJUcg", "expires_in": "3600", "token_type": "Bearer"}
The token’s dot-separated values are Base64 encoded.
The signature is validated with a public key, which is associated with the kid parameter. To access the public key for your account, use the following URL:
https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/keys
where <accountID> represents your NetSuite account ID.
Certificate Rotation
As of NetSuite 2021.1, the certificates used to validate access and refresh tokens during the OAuth 2.0 code grant flow are no longer valid indefinitely.
The certificates are valid for 90 days and the system generates new certificates 30 days before the previous certificates expire.
The certificates are company-specific.