Step Three Exchange the Request Token for an Access Token

The application should send a POST request to the access token endpoint. Include the necessary parameters in the authorization header.

The format of the URL is:


where <accountID> is a variable for your NetSuite account ID.

Request Header Parameters in the Authorization Header for Step Three

OAuth Authorization Header Parameter



The same verified oauth_consumer_key value that was used in Step One, from the Integration record.


The authorized request token from the response in Step Two.

  • oauth_signature_method

  • oauth_timestamp

  • oauth_nonce

  • oauth_version

  • Only HMAC-SHA256 is supported for the signature method.

  • Should be equal to or greater than any timestamp passed in previous requests.

  • Nonce must be unique for all requests with the same timestamp. Length should be 20 characters.

  • oauth_version is optional, but if present, must be 1.0.


The attribute from Step Two.


Similar to the procedure in Step One, but also including the token secret which was returned in Step One. For more information about constructing a signature, see Constructing the Signature for Step Three of the TBA Authorization Flow. See also Specifications for Signature Construction for the TBA Authorization Flow.


NetSuite account ID (company identifier).


As of 2020.1, the realm parameter is no longer required for this step.


Whether using The Three-Step TBA Authorization Flow, or calling The IssueToken Endpoint, an integration record is created and automatically installed in your account. The Require Approval during Auto-Installation of Integration preference affects whether this new record is automatically enabled. You can manage the preference at Setup > Integration > SOAP Web Services Preferences. If the Require Approval during Auto-Installation of Integration box is not checked (set to false) the State field on the new application is automatically set to Enabled, and all requests are permitted. However, if the box is checked (set to true) the State field on the new integration record is set to Waiting for Approval. In the latter case, you must manually edit the record and set the State to Enabled. Until you set the state to Enabled, all requests sent by that application are blocked.

Response Parameters for Step Three

Response Parameter


  • oauth_token

  • oauth_token_secret

A granted access token and token secret to be used for proper authorization header compilation to call a RESTlet or a web service.

For more information, see The Authorization Headers.

If the access token is generated successfully, the integration record is automatically installed for the requested account. For more information, see Auto-Installation of Integration Records.

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Specifications for Signature Construction for the TBA Authorization Flow
Generating the Signature for the TBA Authorization Flow
Troubleshoot Token-based Authentication (TBA)

General Notices