1. Account Administration
  2. Authentication
  3. OAuth 2.0
  4. OAuth 2.0 for Integration Application Developers
  5. OAuth 2.0 Access and Refresh Token Structure

OAuth 2.0 Access and Refresh Token Structure

Both the access token and refresh token include three parts: a header, a payload, and a signature.

The token header includes the following parameters:

Parameter Name

Description

kid

The value of the kid parameter is the ID of the certificate used for signing the token.

typ

The value of the type parameter is JWT.

alg

The value of the alg parameter is RS256.

The token payload includes the following parameters:

Parameter Name

Description

sub

The value of the sub parameter is the role and entity of the user, separated by a semicolon. For example, 1111;10.

aud

The value of the aud parameter is the Application ID of the integration record, and the company, separated by a semicolon. Additionally, the client ID is a part of the aud parameter, separated by a comma. For example, 1A111AA1–AA11–1A11–1111–A1A1111111A1;1111, 661131f7bf0a2f8a4d09c79d3fa961eab66102dca43e07ad47d3a29628ced67b.

scope

The value of the scope parameter is either restlets, rest_webservices, suite_analytics, or all of them, separated by a comma.

iss

The value of the iss parameter is https://system.netsuite.com.

oit

The value of the oit parameter represents the number of seconds since the first token of the token chain was issued. This is only applicable for public clients.

exp

The value of the exp parameter represents the number of seconds since January 1, 1970, until the token’s expiration.

iat

The value of the iat parameter represents when the token was issued. The value of the parameter is in seconds, since January 1, 1970.

jti

The value of the jti parameter is the token ID, which is unique for every token.

The following is an example of an access token in JSON JWT format:

          {"access_token": "eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0MDMwMDU5OzA7Mzs3O04iLCJhdWQiOlsiOWE1MDY4YjFjNGU5OGU4Yjg1YzMwMmYyMjg2N2YzNTAyYTBmYzYwNzU4MDQwNzliNzYzZmExYzg2NzJiYTlkNCIsImFwcDoyNzBDNDQ3Ny1DNUY1LTRFMDQtQkNDMS1CMDMzRDk0QTlDMDgiXSwic2NvcGUiOlsicmVzdF93ZWJzZXJ2aWNlcyIsInJlc3RsZXRzIl0sImlzcyI6Imh0dHBzOlwvXC9ydW5ib3guY29ycC5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2Mjc5MDYzMzAsImV4cCI6MTYyNzkwOTkzMCwiaWF0IjoxNjI3OTA2MzMwLCJqdGkiOiJhLmMuZmI3ZDYzN2YtOTdjNC00Nzk0LTkyYWYtZTU2N2ZhYjc1ODRlLjE2Mjc5MDYzMzA1MDMuMTYyNzkwNjMzMDUwMyJ9.QjzADDeU2yN-6j-ol0fApgmleIn17HHD4bi06yBYpEpL5rBSbK3h11-GgU44Kc6ujQQQ3t4yr6IWBrtak5qLPWQmJE5-Ry_IvaxZRmPuB8rxI09_o4uXJE7oxpMreK4snYoIfH1Ph40Fq977MVVz9K-5pCTclOberX9dTTM3O0BnL6QNrf3lv3RA7J5LilceGAm4OV7OOoddn_fB6yeO0ZghVbJbRgI-tChqwdmWY42zhTeHjdG4K6ooA2IVcOm2GUFMhiFT2I00ZLZ-dYBPYkfRDn2Fvbn8V8GN1biQ6_u6j07k0XSq1Mv-WN-saH7rTKaA1gkX4IFwIHzN7eJUcg", "expires_in": "3600", "token_type": "Bearer"}
Note:

The token’s dot-separated values are Base64 encoded.

The signature is validated with a public key, which is associated with the kid parameter. To access the public key for your account, use the following URL:

https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/keys

where <accountID> represents your NetSuite account ID.

Certificate Rotation

As of NetSuite 2021.1, the certificates used to validate access and refresh tokens during the OAuth 2.0 code grant flow are no longer valid indefinitely.

The certificates are valid for 90 days and the system generates new certificates 30 days before the previous certificates expire.

The certificates are company-specific.

Related Topics

OAuth 2.0
OAuth 2.0 for Integration Application Developers
OAuth 2.0 Authorization Code Grant Flow
Step One GET Request to the Authorization Endpoint
Step Two POST Request to the Token Endpoint
Troubleshooting OAuth 2.0

General Notices