Prerequisites
Before setting up the OAuth 2.0 connection, ensure that:
- You have Administrator or Integration Manager role in NetSuite.
- The OAuth 2.0 authentication feature is enabled in NetSuite.
- A NetSuite Integration Record has been created.
- You have a valid client ID and client secret for authentication.
Step -1: Run Get JSRSASIGN Crypto Library request in the collection.
Step -2: Update the environment.
Step -4: Run the POST request to get the access token
A JWT token generating script is added to the postman collection.
*** Save these scripts as a json file and import in POSTMAN. ***
ENVIRONMENT:
{
"id": "23de43df-d63f-4a43-a9c8-ce64942c397c",
"name": "NetSuite REST API Environment Template",
"values": [
{
"key": "CONSUMER_KEY",
"value": "58586d9e0ac26c2ecee01527b3644b120a4707676909505eb3056662bf64fe9e",
"enabled": true
},
{
"key": "CERTIFICATE_PRIVATE_KEY",
"value": "-----BEGIN PRIVATE KEY-----nMIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCb7MO1ZA3YAjeqnhrH6edHHetDh2ybsdyJdjv/byOl1axt9Ym++vU0rdtV6XHfl0wu9jCR3Gl50Kf6OnD4pJsBhdUM4k6pCBUs5ptoNojot6pbBu0/42J2ayY5reSPvbkHnhy0zBQtirBB5tneBHmYKgUxIHqD4cRKB6qevN+tNSne8xV3LZ4XoiJZ7+EEKfXC8LhSnC0a5xmFCXhnOBjG43EIJuowYVimg3c9dQbyVbr2R8g2Ojaqgbi19vFv2X5LoFAiW5qQbymRLAuenvYcCqJRXPRPJCbsvQ590g80UMEWUeVcr6wvQmDG3C4UAFgGPFQVFxau1oL8BK+H5nUQ+K5QqcZlUFQNboWNlV4YPhhem/jO8zoRV19mSnyKYIV2mAKxrcY53eO5aifBIRnlpWsDOI1mcQfWHutSvBrfex/3y68iArOecCD678xhrptjcecMKbpfMyoUJWhn7opnSSgZVUvyQyjO7OygxEEVxsiFlz05fVl0ueouIqEohjrTrqy/AdsCAwEAAQKCAYB0nhyNT4mx+LFoRtQw51uSyIdUNlcynF/m01fPc+2+N8vfeYryEXdDYVL0B7y0jsu+pnPpzZ7fj8841r+a0tmM78njERYcORAqOEWYQnlbAjfsQ2b3QiYJvdYZcR3JVs57JOnzrKUFDL8y905jmxCMaYrrxgwJl6YsdUJL03eOaJbcKeq24H6vxtnJQP53MCyc/W2njP1huLJvj0sn39aUfNGyd/K5KWcpOkLYySbh4LQS7l5wOF02XDAAvYZ+QpqiRjGynedMG0cALA1I2ipBNqXRUcfKhwq0JX9j692J4UOIvdlBSlDut1bikOKWwXatfglFjnA/BwYKNTHtvBBiKLSOzOTpoL3ZrHcv+BbnFoFOaNqtG8NEZRuOkFsWFgxmJE8BrBnL6AW6fnCCceyVvNTttFUNH34K8j5LOSCn2Gezt+DJ/2E4q5JmJ/AAkzc+OqV0ad4nG2oVorQGObEZfcuBfwcGCtzxxNyJiDDtL6juaUxLOEm9B5hxwX8gpiXsp5OLA5ECngcEAyP2lQLqGOEjSwLj/ZgZtnxqoU43LzmM8M/XVI+QQyClpzBBJYPNX1pxRr7HUnXwWrUBotckoRNX5oj9atS9xv1VPmbPBhEPt2GaJu9tjBApCnYoHF+yZQvoHUgI+znj+YeowUP6/h7lnz06ob+3T8xum4+tjfMPX7KO7BCnfF/WYLBicgv5UvTvsIMRO4an37zFsaABk53bsqdWrjuKPggJbaAQfhLMeZjqYLAHEIgXClilKMY2dlH84rUdMoownxgstAoHBAMaZlq5sGyHCG+Pw3KlouAPxavK+X9wUMbqWvfmAEyKth9KiCVp9JUIontjhXPHmtJRlSCJWadkmyGcWgtY342bZ21nMkkoqi0OG1GWtkEFDDChJ32bARXhZcneQ9lmPbqgqQhd40/eYbvJF1wAUvBZp7ex6GW2P7Yoes/rjhF8ZxUjYlk5DyzSzYKn6fp4z3BBLDbP/zqOpwdEHlgndp4FAwRUTO0FPtJwPzX1bcPI2t+JHgSr/hlr177vn2LbzlLlGJwKBwDbCHAahirXE6V5GSJbEQ5NoUNnKtO76zEkfvbz0grn1xnQpL8SxnJ4o5tmuWmFR3F/BP4XfUxBF96gDeLQKRAQruu8WMS/WzfL6JKZApB5SqUmAdGRJOnowr0FjAcdoBK4qfpVigk347lZliLBN7EO8keBgng880BQRm38L5VMCvz2sSt/JaMn7Rh4h50z/bBdHsNA440TIervekcnw4cY63CpfjTK7Fhol9pVuub/HL/d3MlaDzZ3nKd2eGGFPkvAx1QKBwF6xPLdNtGIUO1gjsBLWa2b15Rh4zRwSROPCnDIqbvVJ6Ej2nGZ+bq/gvkTKr5ZnehKHeC1nJnDznPoKMbgSTcrsdToL4HScdGpuDzer2exEG7faAnTrs0jLf8v3wn5RdWGZRIoMgoS7marKwgi32jaVq2vli9pBlfEVUpt9f9AYaYiiPInh0qp8mKCMa3LjJzpdjtsUTWKbvl38T/3EQenPBkEWOlqZtnPy1PfAccoLbQHnNh9naVqVoPjZQ2t4GKF+YQKBwGX6+qPg8CWmpQ/Rw6fKtJAXLvAzZ1DbAdyd8wpJ0EQ3nl1uYoOWaL+fhddzwDtB5ce9tgMDdJSvnt0iA1CeFJcqpd9PQNC0/oGYOGAwZfCORnlzs9vF42F9x9fwnaAzYE7t/wmgKYluErK4JbnyDoHrB7cgXrFoeS0T/lo1SBKzLJnr2EgLx8QEkdJ6gT+2hLt8DZ6zuhF48euqH0Oy2JgVxpJx9kDTRaMlzSNGdAXEaRrnRn7wL76RffRsAsfxa7Ltlw==n-----END PRIVATE KEY-----n",
"type": "default",
"enabled": true
},
{
"key": "CERTIFICATE_ID",
"value": "PKRCPfzLwx8nKsftPGFdjctojp68pJ1oA4ch8ddVIh8",
"type": "default",
"enabled": true
},
{
"key": "URL",
"value": "https://td2972956.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token",
"type": "default",
"enabled": true
}
],
"_postman_variable_scope": "environment",
"_postman_exported_at": "2025-01-31T15:37:04.953Z",
"_postman_exported_using": "Postman/11.30.4-250130-2243"
}
REQUEST:
{
"info": {
"_postman_id": "ea187797-e6c8-414a-97ff-c9d498ac2639",
"name": "Secure - OAuth 2.0 REST Client Credentials (Auth Manual) Copy",
"description": "This collection shows how to get an access token using OAuth 2.0 and use in a REST Web Services request. There's custom script to request the access token.nnFirst create a certificate through openssl and create the mapping in NetSuite. Here's an easy way to create a valid certificate in openssl, at least as a developer testing out the process:nn`req -x509 -newkey rsa:3072 -keyout sw2021d_key.pem -out sw2021d_cert.pem -days 365 -nodes`",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
"_exporter_id": "36390176"
},
"item": [
{
"name": "Get JSRSASIGN Crypto Library",
"event": [
{
"listen": "test",
"script": {
"exec": [
"pm.globals.set("jsrsasign-js",responseBody); // set the library as globalr",
""
],
"type": "text/javascript"
}
}
],
"request": {
"method": "GET",
"header": [],
"url": {
"raw": "https://kjur.github.io/jsrsasign/jsrsasign-latest-all-min.js",
"protocol": "https",
"host": [
"kjur",
"github",
"io"
],
"path": [
"jsrsasign",
"jsrsasign-latest-all-min.js"
]
},
"description": "The built-in crypto-js library does not support PS256 and other algorithms which are supported for client credentials. This request brings in library jsrsasign-js, which does support required algorithms. See https://github.com/kjur/jsrsasign. This and the code for request that utilize this library was adapted from https://stackoverflow.com/questions/53965446/how-to-sign-a-jwt-with-a-private-key-pem-in-cryptojs."
},
"response": []
},
{
"name": "Get Access Token (Generate JWT) [with comments]",
"event": [
{
"listen": "prerequest",
"script": {
"exec": [
"var navigator = {}; // necessary as part of "eval" on jsrsasign libr",
"var window = {}; // necessary as part of "eval" on jsrsasign libr",
"eval(pm.globals.get("jsrsasign-js")); // grabbing jsrsasign lib, loaded in separate GET r",
"r",
"const cryptojs = require('crypto-js'); // using crypto js for base64 encodingr",
"r",
"// Create JWT headerr",
"var jwtHeader = {r",
" alg: 'PS256', // Using PS256, which is one of the algorithms NetSuite supports for client credentialsr",
" typ: 'JWT',r",
" kid: pm.environment.get('CERTIFICATE_ID') // Certificate Id on the client credentials mappingr",
"};r",
"r",
"let stringifiedJwtHeader = JSON.stringify(jwtHeader);r",
"r",
"// Create JWT payloadr",
"let jwtPayload = {r",
" iss: pm.environment.get('CONSUMER_KEY'), // consumer key of integration recordr",
" scope: ['restlets','rest_webservices'], // scopes specified on integration recordr",
" iat: (new Date() / 1000), // timestamp in secondsr",
" exp: (new Date() / 1000) + 3600, // timestamp in seconds, 1 hour later, which is max for expirationr",
" aud: pm.environment.get('URL')r",
"};r",
"r",
"var stringifiedJwtPayload = JSON.stringify(jwtPayload);r",
"r",
"// The secret is the private key of the certificate loaded into the client credentials mapping in NetSuiter",
"let secret = pm.environment.get('CERTIFICATE_PRIVATE_KEY');r",
"let encodedSecret = cryptojs.enc.Base64.stringify(cryptojs.enc.Utf8.parse(secret)); // we need to base64 encode the keyr",
"r",
"// Sign the JWT with the PS256 algorithm (algorithm must match what is specified in JWT header).r",
"// The JWT is signed using the jsrsasign lib (KJUR)r",
"let signedJWT = KJUR.jws.JWS.sign('PS256',stringifiedJwtHeader,stringifiedJwtPayload,secret);r",
"r",
"// The signed JWT is the client assertion (encoded JWT) that is used to retrieve an access tokenr",
"pm.collectionVariables.set('clientAssertion', signedJWT);r",
""
],
"type": "text/javascript",
"packages": {}
}
},
{
"listen": "test",
"script": {
"exec": [
"if (pm.response.code === 200) {r",
"r",
" // Get the JSON body of the responser",
" let jsonBody = pm.response.json();r",
"r",
" let accessToken = jsonBody.access_token;r",
"r",
" console.log (accessToken);r",
"r",
" pm.collectionVariables.set("clientCredentialsAccessToken", accessToken);r",
"r",
"}r",
""
],
"type": "text/javascript",
"packages": {}
}
}
],
"request": {
"auth": {
"type": "noauth"
},
"method": "POST",
"header": [],
"body": {
"mode": "urlencoded",
"urlencoded": [
{
"key": "grant_type",
"value": "client_credentials",
"type": "text"
},
{
"key": "client_assertion_type",
"value": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"type": "text"
},
{
"key": "client_assertion",
"value": "{{clientAssertion}}",
"type": "text"
}
]
},
"url": {
"raw": "https://td2972956.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token",
"protocol": "https",
"host": [
"td2972956",
"suitetalk",
"api",
"netsuite",
"com"
],
"path": [
"services",
"rest",
"auth",
"oauth2",
"v1",
"token"
]
}
},
"response": []
},
{
"name": "Get Order",
"request": {
"auth": {
"type": "bearer",
"bearer": [
{
"key": "token",
"value": "{{clientCredentialsAccessToken}}",
"type": "string"
}
]
},
"method": "GET",
"header": [],
"url": {
"raw": "https://td2972956.suitetalk.api.netsuite.com/services/rest/record/v1/salesorder/304",
"protocol": "https",
"host": [
"td2972956",
"suitetalk",
"api",
"netsuite",
"com"
],
"path": [
"services",
"rest",
"record",
"v1",
"salesorder",
"304"
]
}
},
"response": []
}
],
"event": [
{
"listen": "prerequest",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
},
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
}
],
"variable": [
{
"key": "clientCredentialsAccessToken",
"value": ""
},
{
"key": "clientAssertion",
"value": ""
}
]
}