The Request Token Structure

The JWT bearer token for the POST request to the token endpoint in OAuth 2.0 client credentials flow includes three parts: a header, a payload, and a signature.

The token header includes the following parameters:

Parameter Name



The value of the typ parameter is always JWT.


The value of the alg parameter is PS256, PS384, PS512, ES256, ES384, or ES512.

The value you choose determines the algorithm used for signing of the token.


The value of the kid parameter is the value of the Certificate ID generated during the mapping of the application. For more information, see OAuth 2.0 Client Credentials Setup.

The token payload includes the following parameters:

Parameter Name



The value of the iss parameter is the client ID for the integration. For more information, see Create Integration Records for Applications to Use OAuth 2.0.


The value of the scope parameter is restlets, rest_webservices, suite_analytics, or all of them, separated by a comma.


The value of the aud parameter is the NetSuite token endpoint, https://<accountID>


The value of the exp parameter represents the number of seconds since January 1, 1970, until the token’s expiration.

The value must be less than 60 minutes greater than the value of the iat parameter.


The value of the iat parameter represents when the token was issued. The value of the parameter is in seconds, since January 1, 1970.


The token’s dot-separated values are Base64 encoded.

The public part of the certificate is used to validate the signature. The private part of the same certificate is used in the kid parameter. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Related Topics

OAuth 2.0
OAuth 2.0 for Integration Application Developers
OAuth 2.0 Client Credentials Flow
POST Request to the Token Endpoint and the Access Token Response
Troubleshooting OAuth 2.0

General Notices