Create Integration Records for Applications to Use OAuth 2.0
Before users can authorize an OAuth 2.0 application, an integration record must be created, or edited for the application. Administrators or users with the Integration Application permission can create, or edit integration records. For more information, see Integration Management.
To create an integration record for an application:
-
Go to Setup > Integration > Manage Integrations > New.
-
Enter a name for your application in the Name field.
-
Enter a description in the Description field, if preferred.
-
Select Enabled in the State field.
-
Enter a note in the Note field, if preferred.
Note:Values of the State, Note, and OAuth 2.0 Consent Policy fields are specific to one NetSuite account. If you install a record in a different account, the values may change. Values of the Name and Description fields are read-only if the record is installed in a different account. For more information, see Auto-Installation of Integration Records.
-
On the Authentication tab, check the appropriate boxes for your application:
Field on the Authentication tab, under OAuth 2.0:
Function of the field:
Authorization Code Grant
For more information, see OAuth 2.0 for Integration Application Developers.
Check this box if you want to implement the OAuth 2.0 authorization code grant flow for this integration.
Note:You can check both the Authorization Code Grant box and the Client Credentials (Machine to Machine Grant) box.
Redirect URI
-
Enter the valid redirect URI for your application, on which the authorization code will be handled.
-
The redirect URI is validated when you save the integration record.
Important:The redirect URI must be configured as either the https:// scheme or a custom URL scheme (for example, myapp://callback). The http:// scheme isn't supported.
The transport layer security must be guaranteed on the redirect URI.
Public Client
(Optional). Check this box if you want to allow OAuth 2.0 public clients with this integration.
Use public client for integrations where you can't control who's using them, because public clients don't include client secret, which you must keep confidential. For example, if you distribute your integration outside your account, you don't have control over confidentiality of its client secret. In such case, always use OAuth 2.0 with public clients.
If you check the box, you can update values in the Refresh Token Validity (In Hours), and Maximum Time For Token Rotation (In Hours) fields.
Important:The Client Credentials (Machine to Machine) Grant doesn't support the use of public clients.
Refresh Token Validity (In Hours)
The value of the field represent a refresh token validity for this integration.
The default value of the field is 48. You can change this value to anything between 1 and 720. This option only applies to integrations using the OAuth 2.0 code grant flow with public clients
Note:If you install and integration from a different source, the default value of the field can be different.
Maximum Time For Token Rotation (In Hours)
The value of the field represents time after which the user of the integration must reauthenticate.
The default value of the field is 168. You can change this value to anything between 1 and 720. This option only applies to integrations using the OAuth 2.0 code grant flow with public clients
Note:If you install and integration from a different source, the default value of the field can be different.
Client Credentials (Machine to Machine) Grant
For more information, see OAuth 2.0 for Integration Application Developers.
Check this box if you want to implement the OAuth 2.0 client credentials flow for this integration.
Note:You can check both the Authorization Code Grant box and the Client Credentials (Machine to Machine Grant) box.
RESTlets
For more information, see OAuth 2.0 for RESTlets.
Check this box if your OAuth 2.0 integration application requires accessing RESTlets.
REST Web Services
For more information, see OAuth 2.0 for REST Web Services.
Check this box if your OAuth 2.0 integration application requires accessing REST web services.
SuiteAnalytics Connect
Check this box if your OAuth 2.0 integration application requires accessing SuiteAnalytics Connect.
NetSuite AI Connector Service
Check this box if your OAuth 2.0 integration application requires accessing the NetSuite AI Connector Service.
Important:When using the NetSuite AI Connector Service, ensure that the following are cleared:
-
All boxes in the Token-based Authentication section
-
All boxes in the Client Credentials section
-
the Client Credentials (Machine to Machine) Grant box
-
All other OAuth 2.0 Scope boxes (RESTlets, REST web services, and SuiteAnalytics Connect).
Application Logo
(Optional). You can select a file from your File Cabinet. Supported formats are JPEG, PNG and GIF.
Application Terms of Use
(Optional). You can select any PDF file from your File Cabinet.
Application Privacy Policy
(Optional). You can select any PDF file from your File Cabinet.
OAuth 2.0 Consent Policy
Select an option from the list. See the following for more details about these options:
-
Always Ask - This is the default option. The consent screen appears every time the OAuth 2.0 code grant flow is initiated.
-
Never Ask - The consent screen doesn't appear during the OAuth 2.0 code grant flow. The integration is autoapproved by the Administrator.
Note:The Never Ask policy is unavailable for the NetSuite AI Connector Service scope,
-
Ask First Time - The consent screen only appears the first time the OAuth 2.0 code grant flow is initiated. The consent screen also appears if:
-
The system doesn't know which role or account to choose for the user to log in with
-
The application requires a different set of scopes and needs a new consent
-
Integration application developers can adjust the consent screen option using the prompt parameter in Step One of the OAuth 2.0 code grant flow. For more information, see Step One GET Request to the Authorization Endpoint. See also Integration Record and Prompt Parameter Combinations.
Note:If you don't want use the Token-based Authentication feature for your integration, clear the TBA: Authorization Flow box, then clear the Token-based Authentication.
-
-
Click Save.
Warning:The system displays the client ID and client secret only the first time you save the integration record. After you leave this page, these values can't be retrieved from the system. If you lose or forget the client ID and client secret, you'll have to reset them on the Integration page, to obtain new values. Treat these values as you would a password.