The Signature for Web Services and RESTlets

This section covers generating a valid signature. The examples shown are for SOAP web services, REST web services, and for RESTlets. The principle for constructing a signature is similar for the TBA authorization flow. The TBA authorization flow requires additional parameters that are not shown in the following examples. For more information about the required parameters, see The Three-Step TBA Authorization Flow.

Note:

The values defined in this section are the values used in The Authorization Headers and The RESTlet Base String sections.

Generate a Signature

Warning:

As of 2023.1, the support ended for the HMAC-SHA1 signature method.

The following sections describes how to correctly create a signature and provides PHP examples for each step.

Note:

TBA uses percent encoding. For more information about percent encoding, go to (https://tools.ietf.org/html/rfc5849#section-3.6). The examples in this section use PHP rawurlencode.

Input Parameters for the Example

These are the input parameters used for this example.

              $url = 'https://123456.restlets.api.netsuite.com/app/site/hosting/restlet.nl?script=6&deploy=1&customParam=someValue&testParam=someOtherValue';
//or https://123456.suitetalk.api.netsuite.com/services/NetSuitePort_2015_2 for webservices
//or https://123456.suitetalk.api.netsuite.com/services/rest/record/v1/employee/40 for REST web services
$httpMethod = 'POST'; //or $httpMethod = 'GET'; for REST Web Services
$tokenKey = '2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc';
$tokenSecret = 'c29a677df7d5439a458c063654187e3d678d73aca8e3c9d8bea1478a3eb0d295';
$consumerKey = 'ef40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4';
$consumerSecret = 'd26ad321a4b2f23b0741c8d38392ce01c3e23e109df6c96eac6d099e9ab9e8b5';
$signatureMethod = 'HMAC-SHA256';
$nonce = 'fjaLirsIcCGVZWzBX0pg';      //substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 20);
$timestamp = '1508242306';            //time();
$version = '1.0';
$realm = '123456';                   //scompid 

            

Step One Construct a Base String for the Signature

The first step in creating signature is constructing a Base String. This is the only step in generating a signature which is different for SOAP web services and RESTlets.

Note:

If you are constructing a signature for the TBA authorization flow, be aware of the following:

SOAP Web Services

                $baseString = rawurlencode($realm) ."&". rawurlencode($consumerKey) ."&". rawurlencode($tokenKey) ."&". rawurlencode($nonce) ."&". rawurlencode($timestamp); 

              

SOAP Web Services Base String Example

For SOAP web services, the creation of the Base String creation is straightforward. Use percent encoding. Parameters include: realm (accountID, also called scompid), consumer key, token key, nonce, and timestamp, with the ampersand character (&) as the delimiter.

                  123456&ef40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4&2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc&fjaLirsIcCGVZWzBX0pg&1508242306 

                

RESTlets

                $baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $consumerKey,
                                                     'oauth_nonce' => $nonce,
                                                     'oauth_signature_method' => $signatureMethod,
                                                     'oauth_timestamp' => $timestamp,
                                                     'oauth_token' => $tokenKey,
                                                     'oauth_version' => $version)); 

              

RESTlets Base String Example

This RESTlets example uses the oauth library. For more information, see https://tools.ietf.org/html/rfc5849#section-3.4.1.

                  POST%https%3A%2F%2F123456.restlets.api.netsuite.com%2Fapp%2Fsite%2Fhosting%2Frestlet.nl%customParam%3DsomeValue%26deploy%3D1%26oauth_consumer_key%3Def40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4%26oauth_nonce%3DfjaLirsIcCGVZWzBX0pg%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1508242306%26oauth_token%3D2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc%26oauth_version%3D1.0%26script%3D6%26testParam%3DsomeOtherValue 

                

REST Web Services

                $baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $consumerKey,
                                                     'oauth_nonce' => $nonce,
                                                     'oauth_signature_method' => $signatureMethod,
                                                     'oauth_timestamp' => $timestamp,
                                                     'oauth_token' => $tokenKey,
                                                     'oauth_version' => $version)); 

              

REST Web Services Base String Example

This RESTlets example uses the oauth library. For more information, see https://tools.ietf.org/html/rfc5849#section-3.4.1.

                  GET&https%3A%2F%2F123456.suitetalk.api.netsuite.com%2Fservices%2Frest%2Frecord%2Fv1%2Femployee%2F40&oauth_consumer_key%3Def40afdd8abaac111b13825dd5e5e2ddddb44f86d5a0dd6dcf38c20aae6b67e4%26oauth_nonce%3DfjaLirsIcCGVZWzBX0pg%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1508242306%26oauth_token%3D2b0ce516420110bcbd36b69e99196d1b7f6de3c6234c5afb799b73d87569f5cc%26oauth_version%3D1.0 

                

Step Two Signature Key

The signature key is used to sign the base string in the HMAC-SHA algorithm. The key is constructed from the URL-encoded values for consumer secret and token secret, with the ampersand character (&) as the delimiter.

              $key = rawurlencode($consumerSecret) .'&'. rawurlencode($tokenSecret); 

            

Step Three Signature

The signature parameter is a base64 value of the HMAC-SHA, where the message is Base String and the value of the key parameter is the key from the previous step.

              $signature = base64_encode(hash_hmac('sha256', $baseString, $key, true)); 

            

SOAP Web Services Signature

                tIcC5zyKUmycB5Ml/cNxOHDusw03Y5KPQiXVNUHHp4U= 

              

RESTlets Signature

                KK4SKNgz4ZiILGLwOMtfYlgcXSy1eis8ldE9X90azQ= 

              

REST Web Services Signature

                B5OIWznZ2YP0OB7VrJrGkYsTh%2B8H%2B5T9Hag%2Bo92q0zY%3D 

              

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Token-based Authentication (TBA) for Integration Application Developers
Troubleshoot Token-based Authentication (TBA)

General Notices