Step One Obtain An Unauthorized Request Token

The application sends a POST request to the request token endpoint. Include the necessary parameters in the authorization header.

The format of the URL is:

https://<accountID>.restlets.api.netsuite.com/rest/requesttoken

where <accountID> is a variable for your NetSuite account ID.

Note:

You should use the account-specific domain URL as shown. However, as of 2020.1, if you do not know the account ID, requests can be sent to the system.netsuite.com domain.

See the following header for details.

Request Header Parameters in the Authorization Header for Step One

OAuth Authorization Header Parameter

Description

oauth_consumer_key

  • Identifies the client. (The service attempting to access the resource.)

  • The value of the consumer key is provided when the integration record is created.

oauth_signature_method

Only HMAC-SHA256 is supported.

oauth_signature

  • Constructed signature (consumer secret to be used during signing)

For more information about constructing a signature, see Constructing the Signature for Step One of the TBA Authorization Flow. See also Specifications for Signature Construction for the TBA Authorization Flow.

oauth_timestamp

  • Number of seconds passed since 1st January 1970 00:00:00 GMT

  • Must be a positive integer

  • Should be equal to or greater than any timestamp passed in previous requests

oauth_nonce

  • Generated random string. Nonce must be at least six characters long. An ideal nonce length is 20 characters.

  • Must be unique for all requests with the same timestamp.

oauth_version

  • Optional.

  • If present, value must be 1.0.

oauth_callback

  • An absolute URL, to which a redirect with a verification code will be performed.

  • The callback URL should match the callback URL in the corresponding integration record.

  • As of 2020.1, the callback URL supports multiple ports on a localhost (http://localhost:*). This is the only case where use of the asterisk (*) character is permitted.

realm

  • NetSuite account ID (company identifier).

    Note:

    As of 2020.1, the realm parameter is no longer required for this step.

role

  • Optional.

  • Indicates the role for which to grant the access token.

state

  • Optional.

  • Maximum length is 512 characters. Valid alpha-numeric characters are upper- and lowercase letters (a-z, A-Z), and numbers 0–9.

Refer to RFC 6749, Section 4.1.1 for more information about the state parameter.

Note:

Refer to RFC 5849 if you need more information about the parameters oauth_timestamp, oauth_nonce, and oauth_version.

The HTTP Response Parameters for Step One

When an authorization request is successfully verified, the following HTTP response is returned:

Response Parameter

Description

oauth_token

An unauthorized request token, which should be authorized by the application in Step Two of the flow.

oauth_token_secret

The corresponding token secret, to be used for signature creation in Step Three of the flow.

oauth_callback_confirmed

Response must be true, if the request verification was successful.

role

The role parameter is present in the response only if configured in the request.

state

The state parameter is present in the response only if configured in the request. The value of the parameter must match the value in the request.

When you have the HTTP response, proceed to Step Two Authorize the Request Token.

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Specifications for Signature Construction for the TBA Authorization Flow
Generating the Signature for the TBA Authorization Flow
Troubleshoot Token-based Authentication (TBA)

General Notices