Creating Secrets
Do not use sensitive or private information in any of the informational fields in the UI. This information is visible to other users.
You can store, manage, and reference API secrets securely in NetSuite at Setup > Company > Preferences > API Secrets. You can then reference these secrets in third party integrations, preventing the need for plaintext secrets in scripts. API secrets include hashes, passwords, keys, and other secrets for managing digital authentication credentials. Secrets up to 1,000,000 characters are accepted.
Take note of your old and new passwords. It can take up to one hour for the new password to be updated. When you have secrets for SFTP username and password, the old username and password must remain functional for at least one hour after secrets for the new username and password are entered.
To create a secret:
-
Go to Setup > Company > Preferences > API Secrets.
-
At the top of the page, click Create New.
-
In the Create New Secret window, on the Details tab, enter a descriptive name for this secret in the Name field. Do not use sensitive or private information. It is shown on the list of API Secrets.
-
In the ID field, enter a script ID for this secret. The ID of the secret lets you access it using SuiteScript. You should make this a descriptive ID with no spaces or special characters. NetSuite prefixes the script ID with ‘custsecret'. Do not use sensitive or private information in this field. It is shown on the list of API Secrets.
-
Either type the secret into the Password field, or load it from a file. Multi-line secrets must be loaded from a file.
-
Enter your password again in the Confirm Password field.
-
(Optional) Check the Expiration Warning box if you want a warning to be displayed in the UI when the secret is nearing the expiration date.
-
In the Description field, enter a description of this secret. Do not use sensitive or private information. It is shown on the list of API Secrets.
-
(Optional) Specify the scope of the secret on the Restrictions tab.
-
If the secret is to be used only in the same account where it is created:
-
Do not check the Available to SuiteApp box.
-
In the Restrict to Employees field, select the users that are allowed to reference the secret using SuiteScript.
-
-
If the secret is to be used in other accounts through a SuiteApp:
-
Check the Available to SuiteApp box.
-
In the SuiteApp ID field, enter the SuiteApp ID of the SuiteApp that will distribute the secret. This field is required, and you can enter only one SuiteApp ID.
Warning:By checking the Available to SuiteApp box and specifying a SuiteApp ID in the SuiteApp ID field, the new secret that will be automatically distributed to all accounts that has the specified SuiteApp installed.
-
In the Allow on Test Accounts field, specify account numbers that are also allowed to reference the secret. Specified accounts may use the secret even if the secret is not included in a SuiteApp installed from the SuiteApp Marketplace. Separate multiple accounts with a comma.
-
-
-
In the Owners field, select the users that are allowed to access and manage the secret.
-
Check the Allow For All Scripts box to allow any script in this account to access this secret using SuiteScript 2.x. If you clear this box, you must list script IDs for scripts that should have access in the Restrict to Scripts field.
-
In the Restrict To Scripts field, enter the script IDs that are allowed to reference the secret. Separate multiple script IDs with a comma.
-
Check the Allow For All Domains box to allow this decrypted secret to be sent to any domain. If you clear this box, you must list domains that should have access in the Restrict to Domains field.
-
In the Restrict To Domains field, enter the domains where decrypted passwords can be sent (applicable to SFTP and HTTPS only). Separate multiple domains with a comma. If you do not intend to use the secret with SFTP or HTTPS, consider adding an invalid domain to prevent the decrypted version of the secret from being sent or shared.
-
Click Save.