Refresh Token POST Request to the Token Endpoint
When the access token expires, the application can send the refresh token POST request to the token endpoint to get a new access token.
The format of the URL is:
https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token
where <accountID> represents your NetSuite account ID.
Request Parameters for the Refresh Token Request
Request Parameter |
Description |
---|---|
grant_type |
The value of the grant_type parameter is |
refresh_token |
The value of the refresh_token parameter is in JSON Web Token (JWT) format. |
the client authentication method used in the header of the request follows the HTTP Basic authentication scheme. For more information, see RFC 7617. The format is client_id:client_secret. The string value is Base64url encoded. The following code provides an example.
POST /services/rest/auth/oauth2/v1/token HTTP/1.1
Host: <accountID>.suitetalk.api.netsuite.com
Authorization: Basic Njc5NGEzMDg2ZTRmNjFhMTIwMzUwZDAxYjg1MjdhZWQzNjMxNDcyZWYzMzQxMjIxMjQ5NWJlNjVhOGZjOGQ0YzpjZGM3YWMyMjE4M2VmNTAyNGU4MWIwZmNlOGVmNDYxYzQ0ZDU4OTZhMWYxODA1ZDRiMzcyY2E2MWM0ZDMyNmFl
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1NTstNSIsImF1ZCI6WyJEREUyNDFGRC1ENjVGLTQ0REQtQUNBRC0wRjJEQ0MzRDhCRkM7TVNUUldMRkNBTkFEQSIsIjk5MDFjZTQxZTAxZjdlZDlkZmY4NDliNGRjYTVmNTVlZDIyYjliNmY5MmIyY2ViZTViMTUxZjhiYTM5NzQ0MTUiXSwic2NvcGUiOlsiZW1haWwiLCJvcGVuaWQiXSwiaXNzIjoiaHR0cHM6XC9cL3N5c3RlbS5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2MTMwNTQ0MDksImV4cCI6MTYxMzY1OTIwOSwiaWF0IjoxNjEzMDU0NDA5LCJqdGkiOiJNU1RSV0xGQ0FOQURBLnIuODY2MTczOTUtZDlmYi00OGIyLWIyYmUtMzlhZWQyODQ3YjhhXzE2MTMwNTQ0MDk1OTMuMCJ9.R20NH4bOSZFY8fF_BQasT-_H9vdlLPQUUjT_vk-QhldCp0ldtKDuYk9jZQyyuFhvDeJymRfgnGcG9FGoEz3ArN7VroxZiPlHjG-lk7TDn0WeUR6Gqsvf9ITLfrUj5vy-Nqux91WesE02g6WFRt8YOz1o0D4wagmfpHLIgNpLmMGzpDwOzgOxvUBwLwXrVMptj_gPKrsIFafuak7my8xy332f3ZWbG80VSra_wif4Kgy1NGJ8BCLcy6t5Q4RgJ1pgEau52rkBi6EqcNyPsFvzpkElmQq8S9yJo9ALXrNIXrx6XP-kDAR7Pai3lpqZGEYVi-DODYBDimgj-bWG1HPT3w
If you use public clients you can choose from the following options:
-
The HTTP authorization request header doesn't contain the Authorization and the client_id parameter is included in the body of the request, or
-
The HTTP authorization request header contains only the client_id in the Authorization.
HTTP Response for Refresh Token Request
JSON Response Fields |
Description |
---|---|
access_token |
The value of the access_token parameter is in JSON Web Token (JWT) format. The access token is valid for 60 minutes. |
expires_in |
The value of expires_in parameter is always |
token_type |
The value of the token_type parameter is always |
If you use public clients with OAuth 2.0, the refresh token request returns an access and refresh token. The refresh token is only valid for two days by default and is for one-time use only. You can change this value on the integration record. The accepted values are between one hour and 720 hours (thirty days in hours).
The following is an example of a response:
{"access_token":"eyJraWQiOiJzLlNZU1RFTS4yMDIwXzEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1NTstNSIsImF1ZCI6WyJEREUyNDFGRC1ENjVGLTQ0REQtQUNBRC0wRjJEQ0MzRDhCRkM7TVNUUldMRkNBTkFEQSIsIjk5MDFjZTQxZTAxZjdlZDlkZmY4NDliNGRjYTVmNTVlZDIyYjliNmY5MmIyY2ViZTViMTUxZjhiYTM5NzQ0MTUiXSwic2NvcGUiOlsiZW1haWwiLCJvcGVuaWQiXSwiaXNzIjoiaHR0cHM6XC9cL3N5c3RlbS5uZXRzdWl0ZS5jb20iLCJvaXQiOjE2MTMwNTQ0MDksImV4cCI6MTYxMzA1ODAwOSwiaWF0IjoxNjEzMDU0NDA5LCJqdGkiOiJNU1RSV0xGQ0FOQURBLmEuODY2MTczOTUtZDlmYi00OGIyLWIyYmUtMzlhZWQyODQ3YjhhXzE2MTMwNTQ0MDk1OTMuMTYxMzA1NDQwOTU5MyJ9.kOaxEPGrDjiNU2Zn2IxQbRk132W2YcUPu9vusBD64XpKhk00nDajOvcLSHMyC0k7hdNPhHr2MkzhzFkHTJzA9SA6czAgTq34NAknYYTFdxdbVp4A8PFyXwcXke6Plu-YIzFkPwSGquMBU1eW93YmcjU6V4Svp5Nz90sog2AV74xr_hjruSxlLAJ2uIuxMhFrnJsxmUYKqxhzKUkaIIvAf_nbweLNdfx5Vms1LeZZEAIRRoqp1ugpTbVUKLbJwVhw9s8K_NW7WcTIIuIrK3Sukstk6M-tvm04DpyU3SJMriKuWZtTI9J4e1yI0BfyJ4DB4E_L6AydWrVefM7WYRD_TQ","expires_in":"3600","token_type":"bearer"}
The access token is Base64url encoded. For more information, see RFC 6749. section 1.4.
When the refresh token expires, the token endpoint returns an invalid_grant error. The application must go back to Step One of the OAuth 2.0 authorization code grant flow to restart the process.