Step One Obtain An Unauthorized Request Token

The application sends a POST request to the request token endpoint. Include the necessary parameters in the authorization header.

The format of the URL is:


where <accountID> is a variable for your NetSuite account ID.


You should use the account-specific domain URL as shown. However, as of 2020.1, if you do not know the account ID, requests can be sent to the domain.

See the following header for details.

Request Header Parameters in the Authorization Header for Step One

OAuth Authorization Header Parameter



  • Identifies the client. (The service attempting to access the resource.)

  • The value of the consumer key is provided when the integration record is created.


Only HMAC-SHA256 is supported.


  • Constructed signature (consumer secret to be used during signing)

For more information about constructing a signature, see Constructing the Signature for Step One of the TBA Authorization Flow. See also Specifications for Signature Construction for the TBA Authorization Flow.


  • Number of seconds passed since 1st January 1970 00:00:00 GMT

  • Must be a positive integer

  • Should be equal to or greater than any timestamp passed in previous requests


  • Generated random string. Nonce must be at least six characters long. An ideal nonce length is 20 characters.

  • Must be unique for all requests with the same timestamp.


  • Optional.

  • If present, value must be 1.0.


  • An absolute URL, to which a redirect with a verification code will be performed.

  • The callback URL should match the callback URL in the corresponding integration record.

  • As of 2020.1, the callback URL supports multiple ports on a localhost (http://localhost:*). This is the only case where use of the asterisk (*) character is permitted.


  • NetSuite account ID (company identifier).


    As of 2020.1, the realm parameter is no longer required for this step.


  • Optional.

  • Indicates the role for which to grant the access token.


Refer to RFC 5849 if you need more information about the parameters oauth_timestamp, oauth_nonce, and oauth_version.

The HTTP Response Parameters for Step One

When an authorization request is successfully verified, the following HTTP response is returned:

Response Parameter



An unauthorized request token, which should be authorized by the application in Step Two of the flow.


The corresponding token secret, to be used for signature creation in Step Three of the flow.


Response must be true, if the request verification was successful.


The role parameter is present in the response only if configured in the request.

When you have the HTTP response, proceed to Step Two Authorize the Request Token.

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Specifications for Signature Construction for the TBA Authorization Flow
Generating the Signature for the TBA Authorization Flow
Troubleshoot Token-based Authentication (TBA)

General Notices