1. Account Administration
  2. Authentication
  3. OAuth 2.0
  4. OAuth 2.0 for Integration Application Developers
  5. OAuth 2.0 Authorization Code Grant Flow
  6. Refresh Token POST Request to the Token Endpoint

Refresh Token POST Request to the Token Endpoint

When the access token expires, the application can send the refresh token POST request to the token endpoint to get a new access token.

The format of the URL is:

https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token

where <accountID> represents your NetSuite account ID.

Request Parameters for the Refresh Token Request

Request Parameter

Description

grant_type

The value of the grant_type parameter is refresh_token.

refresh_token

The value of the refresh_token parameter is in JSON Web Token (JWT) format.
Important:

the client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is client_id:client_secret. The string value is Base64 encoded. The following code provides an example.

            POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite.com
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExNjcyNDU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuci41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4wIn0.BbSQ86Phg6CKLMJ9gJQurs1NK6niSxFzF2EBFT--KFysI2AV9S1llZgxsRNIrMXsDioaepdWsGzrKepJXq25t5Sr7f-jBwTLK9g9SkFAvvEFsVJCYbdA4_BNZkHKlCC-1mA_yFNZWBYPdfCMGDX39iIDd7LVkaj-oPjpnuRnnK1ntNzxHx0coJiXwj3KfOI0PK7xfG1zbVSW14XOlatWbi80MY0ZQCgF41nFs-Rv-a7r-b51mMrm6kKZx-0MXfKRYT60H3gPXCk2QzkKovKy3kBVjajbtVPNS2tF_SbFNWOXJrn4MFzvnnDy0qsxT_Ijy3S5LTgk4YLrlwKv_XoE7A
Note:

If you use public clients you can choose from the following options:

  • The HTTP authorization request header does not contain the Authorization, and the client_id parameter is included in the body of the request, or

  • The HTTP authorization request header contains only the client_id in the Authorization.

HTTP Response for Refresh Token Request

JSON Response Fields

Description

access_token

The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes.

expires_in

The value of expires_in parameter is always 3600. The value represents the time period during which the access token is valid, in seconds.

token_type

The value of the token_type parameter is always bearer.
Important:

If you use public clients with OAuth 2.0, the refresh token request returns an access and refresh token. The refresh token is valid for three hours and is for one-time use only.

The following is an example of a response:

            {"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExMDcxMzA0LCJpYXQiOjE2MTEwNjc3MDQsImp0aSI6IjQwMzAwNTkuYS41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4xNjExMDY3NzA0MTI3In0.TqVYrtJL3hiJwCnAHA4Z067eiVETAvPQhee8s42OZYijEc4eTFXaAhdyo0c0WjnKnhGmH4KvBmcQneTpDAJaiuj2dBDx0LnWxV1tFjhBtxAu2FMlF4rcGi-D7seacZhOo-6szg-oxx25CNv9BcblkI9Ly9XI29lazYojIaOaYUVZABurla67boa53BeVMpoqwuitHzFs0VYdeXEWYJ9vpoiaz0aXdZWIPic-wVXoqj3nv4sShrpT4K4-QLQ72gUn1ITWFmOhC_V8SZ5EZH68bEcmwC3cPOZute2-L0AqNMKpiLPt-YD8B85z17dmA9B-hmr77eoGve7zI0UzBNS8iw","expires_in":"3600","token_type":"bearer"}
Note:

The access token is Base64 encoded. For more information, see RFC 6749. section 1.4.

When the refresh token expires, the token endpoint returns an invalid_grant error. The application must go back to Step One of the OAuth 2.0 authorization code grant flow to restart the process.

Note:

Users can use the access token and refresh token to access RESTlets, REST web services, or SuiteAnalytics Connect in case of being locked out.

Related Topics

OAuth 2.0
OAuth 2.0 for Integration Application Developers
OAuth 2.0 Authorization Code Grant Flow
OAuth 2.0 Access and Refresh Token Structure
Troubleshooting OAuth 2.0

General Notices