Step Two POST Request to the Token Endpoint

The application sends a POST request to the token endpoint. The request must include client credentials in the HTTP authorization request header and the required parameters in the request body. At the end of this step, the access token and refresh token are granted.

The format of the URL is:

https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token

where <accountID> is your NetSuite account ID.

Request Parameters for Step Two

Request Parameter

Description

code

The code parameter value obtained in Step One.

redirect_uri

The value of the redirect_uri parameter must match the value entered in the corresponding integration record and the value in the request in Step One.

grant_type

The value of the grant_type parameter in Step Two is authorization_code.

code_verifier

The value of the code_verifier must match the value generated in Step One. If the values do not match, HTTP 400 Bad Response error is returned. For more information, see https://tools.ietf.org/html/rfc7636, sections 4.5 and 4.6.

Important:

Be aware of the following requirements for the request:

  • Request parameters must be encoded based on the HTML specification for the application/x-www-form-urlencoded media type. For more information, see URL Specification 5.1

  • The client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is clientid:clientsecret. The string value is Base64 encoded. The following code provides an example.

            POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded

code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code&code_verifier=abFOm_isZAwm7PpI9BtJRMEuiMqhU6sUqZlVWSsAAf1QutgIOD~on78mu-JdpbKc_RA7IEcf2e~q0XrKlJ1tE.8Un64PXLKQG16G4lwW-a5de_0aeU2mHnyVPg.Or8cE 

          
Note:

If you use public clients you can choose from the following options:

  • The HTTP authorization request header does not contain the Authorization. Additionally, the PKCE parameters and the client_id parameter are included in the body of the request, or

  • The HTTP authorization request header contains only the client_id in the Authorization. The PKCE parameters are included in the body of the request.

The following code provides an example of the HTTP authorization request with the PKCE parameters and the client_id parameter included in the body of the request:

            POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Content-Type: application/x-www-form-urlencoded

code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code%client_id=6794a3086e4f61a120350d01b8527aed3631472ef33412212495be65a8fc8d4c&code_verifier=XG2JcZ.I5_67es~Pev0ZbWSPlOklZJq-KPNaFInKuzgGQV4AWt5taWLDnD4IAsnJW_hl9iPQdQcv9~xGSY.qTiB99HA2rfm8cUwlfrzBY0j3bK4XPx-gLhoV1MF1JCC2 

          

The following code provides an example of the HTTP authorization request with the client_id parameter included in the Authorization. The PKCE parameters are included in the body of the request:

            POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0Yzo=
Content-Type: application/x-www-form-urlencoded

code=70b827f926a512f098b1289f0991abe3c767947a43498c2e2f80ed5aef6a5c50&redirect_uri=https%3A%2F%2Fmyapplication.com%2Fnetsuite%2Foauth2callback&grant_type=authorization_code%code_verifier=XG2JcZ.I5_67es~Pev0ZbWSPlOklZJq-KPNaFInKuzgGQV4AWt5taWLDnD4IAsnJW_hl9iPQdQcv9~xGSY.qTiB99HA2rfm8cUwlfrzBY0j3bK4XPx-gLhoV1MF1JCC2 

          

HTTP Response for Step Two

JSON Response Fields

Description

access_token

The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes.

refresh_token

The value of the refresh_token parameter is in JSON JWT format. The refresh token is valid for seven days.

Important:

If you use public clients for OAuth 2.0, the refresh token is only valid for three hours and is for one-time use only.

expires_in

The value of the expires_in parameter is always 3600. The value represents the time period during which the access token is valid, in seconds.

token_type

The value of the token_type parameter is always bearer.

id_token

This parameter is a part of OAuth 2.0, but it is used only in the NetSuite as OIDC Provider feature flow. You do not need to configure the token_id parameter as a part of the OAuth 2.0 feature flow. For more information, see Step Two POST Request to the Token Endpoint.

The following is an example of a response in JSON JWT format:

            {"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExMDcxMjU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuYS41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4xNjExMDY3NjU1MzU5In0.TVpquJSRujxyZpp9ydnkfQFy8fq2eTRIt-7mA6B9nGvftEQ2pJCu-15qfxYoe6iKU1JEpOhuvA-MAzdI-TvM1ndHT37VRdpcEa3R_kdZuDIT5hAS0G5VRVOQVF6bseHTKm4HIe0bFy8vCIaS6utQ46crF0LnQK_bxYXsQz8nFEwGlk4mOmsKje5ZB_0vzXpHEuYh9sBFdwxhMNUO3P_tFiAF0f0oXXJzAzYTEjA9pH_tr1ymGFoLWCIfKiR1RUavvVVGeL-jiQdZSRNr5cQj4Nz8iixn9bR2R1rEtcoXBzAJ2pSVU9yimLe2bPmzxBggJr839PDUP4IlKwkvzMUoLw","refresh_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExNjcyNDU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuci41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4wIn0.BbSQ86Phg6CKLMJ9gJQurs1NK6niSxFzF2EBFT--KFysI2AV9S1llZgxsRNIrMXsDioaepdWsGzrKepJXq25t5Sr7f-jBwTLK9g9SkFAvvEFsVJCYbdA4_BNZkHKlCC-1mA_yFNZWBYPdfCMGDX39iIDd7LVkaj-oPjpnuRnnK1ntNzxHx0coJiXwj3KfOI0PK7xfG1zbVSW14XOlatWbi80MY0ZQCgF41nFs-Rv-a7r-b51mMrm6kKZx-0MXfKRYT60H3gPXCk2QzkKovKy3kBVjajbtVPNS2tF_SbFNWOXJrn4MFzvnnDy0qsxT_Ijy3S5LTgk4YLrlwKv_XoE7A","expires_in":"3600","token_type":"bearer"} 

          
Note:

The access token and refresh token are Base64 encoded. For more information, see RFC 7519.

After the access token and refresh token are granted, the integration is auto-installed in the account. If the integration fails to auto-install, check the State field in the corresponding integration record. Go to Setup > Integration > Manage Integrations, and click the name of the record. The value of the State field must be Enabled to auto-install the integration successfully.

Note:

The integration record should be auto-installed when the access token is granted, if the Require Approval During Auto-installation of Integration box is not checked on the SOAP Web Services Preferences page. If this box is checked, you must clear it to successfully auto-install integrations.

You must change the state manually if an access token was granted for the integration record before the box was cleared. To change the state manually, go to Setup > Integration > Manage Integrations, click the name of the corresponding integration record, and change the State field value to Enabled.

Related Topics

General Notices