Refresh Token POST Request to the Token Endpoint
When the access token expires, the application can send the refresh token POST request to the token endpoint to get a new access token.
The format of the URL is:
https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token
where <accountID> represents your NetSuite account ID.
Request Parameters for the Refresh Token Request
|
Request Parameter |
Description |
|---|---|
|
grant_type |
The value of the grant_type parameter is |
|
refresh_token |
The value of the refresh_token parameter is in JSON Web Token (JWT) format. |
the client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is client_id:client_secret. The string value is Base64url encoded. The following code provides an example.
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite.com
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1NTstNSIsImF1ZCI6WyJEREUyNDFGRC1ENjVGLTQ0REQtQUNBRC0wRjJEQ0MzRDhCRkM7TVNUUldMRkNBTkFEQSIsIjk5MDFjZTQxZTAxZjdlZDlkZmY4NDliNGRjYTVmNTVlZDIyYjliNmY5MmIyY2ViZTViMTUxZjhiYTM5NzQ0MTUiXSwic2NvcGUiOlsiZW1haWwiLCJvcGVuaWQiXSwiaXNzIjoiaHR0cHM6XC9cL3N5c3RlbS5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2MTMwNTQ0MDksImV4cCI6MTYxMzY1OTIwOSwiaWF0IjoxNjEzMDU0NDA5LCJqdGkiOiJNU1RSV0xGQ0FOQURBLnIuODY2MTczOTUtZDlmYi00OGIyLWIyYmUtMzlhZWQyODQ3YjhhXzE2MTMwNTQ0MDk1OTMuMCJ9.R20NH4bOSZFY8fF_BQasT-_H9vdlLPQUUjT_vk-QhldCp0ldtKDuYk9jZQyyuFhvDeJymRfgnGcG9FGoEz3ArN7VroxZiPlHjG-lk7TDn0WeUR6Gqsvf9ITLfrUj5vy-Nqux91WesE02g6WFRt8YOz1o0D4wagmfpHLIgNpLmMGzpDwOzgOxvUBwLwXrVMptj_gPKrsIFafuak7my8xy332f3ZWbG80VSra_wif4Kgy1NGJ8BCLcy6t5Q4RgJ1pgEau52rkBi6EqcNyPsFvzpkElmQq8S9yJo9ALXrNIXrx6XP-kDAR7Pai3lpqZGEYVi-DODYBDimgj-bWG1HPT3w
If you use public clients you can choose from the following options:
-
The HTTP authorization request header does not contain the Authorization and the client_id parameter is included in the body of the request, or
-
The HTTP authorization request header contains only the client_id in the Authorization.
HTTP Response for Refresh Token Request
|
JSON Response Fields |
Description |
|---|---|
|
access_token |
The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes. |
|
expires_in |
The value of expires_in parameter is always |
|
token_type |
The value of the token_type parameter is always |
If you use public clients with OAuth 2.0, the refresh token request returns access and refresh token. The refresh token is valid for three hours and is for one-time use only.
The following is an example of a response:
{"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1NTstNSIsImF1ZCI6WyJEREUyNDFGRC1ENjVGLTQ0REQtQUNBRC0wRjJEQ0MzRDhCRkM7TVNUUldMRkNBTkFEQSIsIjk5MDFjZTQxZTAxZjdlZDlkZmY4NDliNGRjYTVmNTVlZDIyYjliNmY5MmIyY2ViZTViMTUxZjhiYTM5NzQ0MTUiXSwic2NvcGUiOlsiZW1haWwiLCJvcGVuaWQiXSwiaXNzIjoiaHR0cHM6XC9cL3N5c3RlbS5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2MTMwNTQ0MDksImV4cCI6MTYxMzA1ODAwOSwiaWF0IjoxNjEzMDU0NDA5LCJqdGkiOiJNU1RSV0xGQ0FOQURBLmEuODY2MTczOTUtZDlmYi00OGIyLWIyYmUtMzlhZWQyODQ3YjhhXzE2MTMwNTQ0MDk1OTMuMTYxMzA1NDQwOTU5MyJ9.kOaxEPGrDjiNU2Zn2IxQbRk132W2YcUPu9vusBD64XpKhk00nDajOvcLSHMyC0k7hdNPhHr2MkzhzFkHTJzA9SA6czAgTq34NAknYYTFdxdbVp4A8PFyXwcXke6Plu-YIzFkPwSGquMBU1eW93YmcjU6V4Svp5Nz90sog2AV74xr_hjruSxlLAJ2uIuxMhFrnJsxmUYKqxhzKUkaIIvAf_nbweLNdfx5Vms1LeZZEAIRRoqp1ugpTbVUKLbJwVhw9s8K_NW7WcTIIuIrK3Sukstk6M-tvm04DpyU3SJMriKuWZtTI9J4e1yI0BfyJ4DB4E_L6AydWrVefM7WYRD_TQ","expires_in":"3600","token_type":"bearer"}
The access token is Base64url encoded. For more information, see RFC 6749. section 1.4.
When the refresh token expires, the token endpoint returns an invalid_grant error. The application must go back to Step One of the OAuth 2.0 authorization code grant flow to restart the process.