Setting up REST Web Services with OAuth 2.0 in your NetSuite Account

This article describes how to configure the NetSuite account to use REST web services with OAuth 2.0 authentication.

Photo by Kevin Ku on Unsplash

Enable Web Services

The NetSuite REST web services provide an integration channel that extends the SuiteTalk capabilities. To use the services, the following features must be enabled in your account.

REST web services and OAuth 2.0 feature

  • Go to Setup > Company > Enable features.
  • Select SuiteCloud subtab.
  • Check the REST WEB SERVICES in the SuiteTalk (Web Services) section.
    (To use the feature, you must accept the SuiteCloud Terms of Service)
  • Check the OAUTH 2.0 in the Manage Authentication section.
  • Save the changes.

SuiteAnalytics Workbook feature

  • Go to Setup > Company > Enable features.
  • Select Analytics subtab.
  • Save the changes.

Assigning the Required Permissions to a User’s Role

  • Go to Setup > Users/Roles > User Management > Manage Roles.
  • Locate the role you want to modify. Click the Edit or Customize link.
  • On the Permissions subtab, click Setup.
  • In the Permission list, select REST Web Services and set Level as Full.
  • Select Log in using Access Tokens and set Level as Full.
  • On the Permissions subtab, click Reports.
  • Select SuiteAnalytics Workbook and set Level as Full.
  • Save the changes.

NetSuite provides an account-specific domain, which contains the account ID as part of the domain name to access REST web services. You can find the service URL for at Setup > Company > Company Information, on the Company URLs subtab.

Please note that the SuiteTalk (SOAP and REST web services) URL is required to be provided when communicating with client applications.

Configure Authentication

OAuth 2.0 authorization framework enables client applications to use a token to access NetSuite. This method eliminates the need for REST web services to store user credentials. NetSuite only supports authorization code grant flow

To use REST web services with OAuth 2.0, you must create an application using an integration record that provides the Client ID and Client Secret.

  • Go to Setup > Integration > Manage Integrations > New.
  • Enter a name for your application in the Name field.
  • Select Enabled in the State field.
  • On the Authentication tab, check the AUTHORIZATION CODE GRANT under OAuth 2.0 subtab.
  • Enter the valid Redirect URI. For the demo, I’ll be using “”
  • Check the REST Web Services box.
  • Save the changes.

Once you click Save, the Client Credentials (the client ID and client secret) values are displayed is on the confirmation page. Make sure you note them as it only appears once due to security reasons.

After you create the integration application, continue with the following steps to obtain tokens. The authorization code grant flow consists of two steps

GET Request to the Authorization Endpoint

This request will give the authorization code, once you Allow/Continue the application authorization.

  • Open up a new tab in your browser and paste the following URL. The account ID represents your NetSuite account ID and client ID represents the integration record you created above.
  • Once the request is sent, the system displays the consent screen
  • Click Allow/Continue button to proceed.
  • Then the browser will be redirected to your specified Redirect URL with the code as a query param

POST Request to the Token Endpoint

This request will give the access token and the refresh token. For this step, I’ll be using Postman as the client. The request must include client credentials in the HTTP authorization request header. Therefore add CLIENT_ID and CLIENT_SECRET under Basic Auth.

Add the following parameters in the request body where the content type is application/x-www-form-urlencoded.

  • code (The code parameter value obtained in above step)
  • redirect_uri (Integration record Redirect URL)
  • grant_type (specify as authorization_code)

The success response will provide the access token and refresh token.


Please note when the refresh token expires(in 7 days), the token endpoint returns an invalid_grant error. The application must go through the aforementioned OAuth 2.0 authorization code grant flow to obtain tokens again.

In summary, the article covered mandatory steps such as

  • Enable REST WS, OAuth 2.0 and Analytics
  • Assign permission to user’s role
  • Obtain REST URL to invoke resources
  • Create integration record and obtain the Client ID and Secret
  • Obtain Access and Refresh token

to get your NetSuite account to interact with client application over REST web services with OAuth 2.0 authentication.

Developer | Traveller