Refresh Token POST Request to the Token Endpoint
When the access token expires, the application can send the refresh token POST request to the token endpoint to get a new access token.
The format of the URL is:
https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token
where <accountID> represents your NetSuite account ID.
Request Parameters for the Refresh Token Request
Request Parameter |
Description |
---|---|
grant_type |
The value of the grant_type parameter is |
refresh_token |
The value of the refresh_token parameter is in JSON Web Token (JWT) format. |
the client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is client_id:client_secret. The string value is Base64 encoded. The following code provides an example.
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite.com
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExNjcyNDU1LCJpYXQiOjE2MTEwNjc2NTUsImp0aSI6IjQwMzAwNTkuci41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4wIn0.BbSQ86Phg6CKLMJ9gJQurs1NK6niSxFzF2EBFT--KFysI2AV9S1llZgxsRNIrMXsDioaepdWsGzrKepJXq25t5Sr7f-jBwTLK9g9SkFAvvEFsVJCYbdA4_BNZkHKlCC-1mA_yFNZWBYPdfCMGDX39iIDd7LVkaj-oPjpnuRnnK1ntNzxHx0coJiXwj3KfOI0PK7xfG1zbVSW14XOlatWbi80MY0ZQCgF41nFs-Rv-a7r-b51mMrm6kKZx-0MXfKRYT60H3gPXCk2QzkKovKy3kBVjajbtVPNS2tF_SbFNWOXJrn4MFzvnnDy0qsxT_Ijy3S5LTgk4YLrlwKv_XoE7A
If you use public clients you can choose from the following options:
-
The HTTP authorization request header does not contain the Authorization, and the client_id parameter is included in the body of the request, or
-
The HTTP authorization request header contains only the client_id in the Authorization.
HTTP Response for Refresh Token Request
JSON Response Fields |
Description |
---|---|
access_token |
The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes. |
expires_in |
The value of expires_in parameter is always |
token_type |
The value of the token_type parameter is always |
If you use public clients with OAuth 2.0, the refresh token request returns an access and refresh token. The refresh token is valid for three hours and is for one-time use only.
The following is an example of a response:
{"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzOzciLCJhdWQiOlsiNkFDQkQ1MUMtNTE0Qi00RjU5LUIxQzMtQ0IzNUZGN0U5QTZBOzQwMzAwNTkiLCI0Nzc2MWI3NzY1MjJlMTg2ZmNkNzdmMTNjMjVlOGNjZjk5YWY5MDFhNjc4YTY2ZTcwMGIxNjFlZWZlOGZhODhkIl0sInNjb3BlIjpbInJlc3Rfd2Vic2VydmljZXMiLCJyZXN0bGV0cyJdLCJpc3MiOiJodHRwczpcL1wvc3lzdGVtLm5ldHN1aXRlLmNvbSIsIm9pdCI6MTYxMTA2NzY1NSwiZXhwIjoxNjExMDcxMzA0LCJpYXQiOjE2MTEwNjc3MDQsImp0aSI6IjQwMzAwNTkuYS41YjMyMzZiOS1mZmVlLTQyZDMtYmQ1Ny00YmU3YjQ0MzlhMzdfMTYxMTA2NzY1NTM1OS4xNjExMDY3NzA0MTI3In0.TqVYrtJL3hiJwCnAHA4Z067eiVETAvPQhee8s42OZYijEc4eTFXaAhdyo0c0WjnKnhGmH4KvBmcQneTpDAJaiuj2dBDx0LnWxV1tFjhBtxAu2FMlF4rcGi-D7seacZhOo-6szg-oxx25CNv9BcblkI9Ly9XI29lazYojIaOaYUVZABurla67boa53BeVMpoqwuitHzFs0VYdeXEWYJ9vpoiaz0aXdZWIPic-wVXoqj3nv4sShrpT4K4-QLQ72gUn1ITWFmOhC_V8SZ5EZH68bEcmwC3cPOZute2-L0AqNMKpiLPt-YD8B85z17dmA9B-hmr77eoGve7zI0UzBNS8iw","expires_in":"3600","token_type":"bearer"}
The access token is Base64 encoded. For more information, see RFC 6749. section 1.4.
When the refresh token expires, the token endpoint returns an invalid_grant error. The application must go back to Step One of the OAuth 2.0 authorization code grant flow to restart the process.
Users can use the access token and refresh token to access RESTlets, REST web services, or SuiteAnalytics Connect in case of being locked out.