How to Share OAuth 2.0 Integration Credentials in NetSuite Without Granting Account Access

When setting up OAuth 2.0 integrations in NetSuite, there may be scenarios where you need to share the integration credentials with someone who does not have direct access to the NetSuite account. To securely enable this, NetSuite provides an OAuth 2.0 Consent Policy during the creation of the integration record. By selecting the appropriate consent policy, you can allow the recipient to generate access tokens and refresh tokens without requiring them to log in to NetSuite.

🎯 Objective

To allow an external developer, partner, or system to use the OAuth 2.0 credentials for API calls without having direct login access to the NetSuite account.

Key Concept: OAuth 2.0 Consent Policy

When creating an Integration Record in NetSuite for OAuth 2.0, you are prompted to set a Consent Policy that determines how and when user authorization is required.

Available Consent Policies:

  • Always Ask: Prompts the user to authorize every time a token is generated.
  • Ask One Time: Prompts for authorization only the first time a token is requested.
  • Never Ask: Allows token generation without requiring user authorization after the initial setup.

✅ To enable seamless token generation for someone without NetSuite access, choose “Never Ask” as the consent policy.

📝 Step-by-Step Guide

Step 1: Create an Integration Record

  1. Navigate to:
Customization > Integration > Manage Integrations > New
  1. Fill in the required fields:
  • Name: Enter a descriptive name for the integration.
  • State: Set to Enabled to allow API requests.
  • Authentication: Select OAuth 2.0 as the authentication method.
  1. Redirect URI:
  • Specify the redirect URI to which NetSuite will send the authorization code after consent is granted.
  1. Consent Policy:
  • Under OAuth 2.0 Consent Policy, select:
Never Ask
  • This option ensures that once the tokens are generated, NetSuite will not require reauthorization.
  1. Click Save to create the integration record.

Step 2: Generate Client ID and Client Secret

  1. After saving the integration record, NetSuite will display the Client ID and Client Secret.
  2. Copy and securely share these credentials with the recipient.

Step 3: Share Authorization URL for Token Generation

To allow the recipient to generate OAuth tokens, provide them with the following information:

  • Authorization URL:
https://<account_id>.suitetalk.api.netsuite.com/services/oauth2/v1/authorize
  • Token URL:
https://<account_id>.suitetalk.api.netsuite.com/services/oauth2/v1/token
  • Client ID: Generated from the integration record.
  • Client Secret: Generated from the integration record.
  • Redirect URI: The URI configured in the integration record.

Step 4: Recipient Generates OAuth Tokens

The recipient can now follow these steps to generate the tokens:

  1. Send a POST request to the authorization URL to obtain an authorization code.
  2. Use the authorization code to request an access token and a refresh token from the token URL.
  3. Store the tokens securely and use the access token for subsequent API calls.

🔐 Security Considerations

  • Restrict Token Scope: Define the minimal required scope for the integration to limit what actions the API can perform.
  • Rotate Secrets Periodically: Periodically regenerate the Client Secret to ensure secure access.
  • Monitor API Usage: Enable logging and audit trails to track API usage and detect any suspicious activity.

🎁 Pro Tip: Regenerate Tokens Without Logging In

With Never Ask set as the consent policy, the recipient can programmatically generate and refresh tokens without logging in to NetSuite. This is especially useful when integrating with external systems that need continuous API access.

Advantages of Using ‘Never Ask’ Consent Policy

  1. Seamless Automation: Tokens can be refreshed automatically without user intervention.
  2. Reduced Manual Effort: No need to log in or approve the consent repeatedly.
  3. Ideal for System-to-System Integrations: Ensures smooth, uninterrupted API calls for backend processes.

🛑 When Not to Use ‘Never Ask’

Avoid using this policy when granting credentials to untrusted third parties, as it bypasses consent checks, potentially leading to unauthorized access if misused.

By following these steps, you can securely share OAuth 2.0 credentials with external users or systems while maintaining control over NetSuite API access.

Leave a comment

Your email address will not be published. Required fields are marked *