NetSuite OAuth2.0 Provider

Table of Contents

  • Purposes
  • Introduction
  • Preparing a Pair of SSL Certificates
  • Creating an Integration Record in the NetSuite Dashboard
  • Setting Up the HTTP Authentication in the Alumio Dashboard
  • What to Do When the Current Pair of Certificates is Expiring


This article explains how to connect Alumio to NetSuite using Client Credentials Flow.


Oracle NetSuite provides a few options for authentication to access its API. One of them is the Client Credentials Flow. The flow allows you to get the OAuth2.0 access token without the need to interact with the NetSuite authorization page. That is why the flow is labeled Machine to Machine.

Preparing a Pair of SSL Certificates

Create a pair of certificates on your computer with the below conditions.

  • The public part of the certificate must be in x.509 format with a file extension of .cer, .pem, or .crt.
  • The length of the RSA key must be 3072 bits, or 4096 bits. The length of EC key must 256 bits, 384 bits, or 521 bits.
  • The maximum time period that a certificate can be valid is two years. If the certificate is valid for a longer time period, the system automatically shortens the time period to two years.
  • One certificate can only be used for one combination of integration record, role, and entity. If you want to use the same integration record for multiple entities or roles, you must use a different certificate for each unique combination.

In Linux, you could generate the certificates using OpenSSL with the below command as an example.

openssl req -x509 -newkey rsa:4096 -sha256 -keyout auth-key.pem -out auth-cert.pem -nodes -days 730

Keep the pair of certificates somewhere safe.

Creating an Integration Record in the NetSuite Dashboard

  1. Go to Setup > Integration > New.
  2. Enter a name for your application in the Name field.
  3. Enter a description in the Description field, if preferred.
  4. Select Enabled in the State field.
  5. Enter a note in the Note field, if preferred.
  6. Uncheck all options in the Token-based Authentication section.
  7. Check only Client Credentials (Machine to Machine) Grant, and check all preferred scopes.
  8. Click Save.
  9. Copy the generated Consumer key and Consumer secret and keep them safe.

Creating a Client Credentials (M2M) Setup in the NetSuite Dashboard

  1. Go to Setup > Integration > Manage Authentication > OAuth 2.0 Client Credentials (M2M) Setup. The OAuth 2.0 Client Credentials Setup page appears.
  2. To create a new mapping, click the Create New button.
  3. In the popup window, choose the entity, role, and application to be mapped (the previous Integration Record created). Upload the public part of the certificate from your computer.
  4. Click Save.
  5. Keep the Certificate ID as it is needed in the next phase.

Setting Up the HTTP Authentication in the Alumio Dashboard

  1. Go to Clients > HTTP Authentications > New.
  2. Choose "Oauth2 authentication as the Settings.
  3. Choose “Netsuite” as the Provider.
  4. Choose the preferred JWT algorithm.
  5. Enter the Certificate ID copied previously.
  6. Enter the Consumer Key copied previously.
  7. Enter the required scopes (comma separated).
  8. Enter the Authentication URL, for example,
  9. Enter the private key that has been created previously.
  10. Click the Retrieve an access token key button.
  11. Once the access token key is retrieved, save the HTTP authentication.

You can choose the created HTTP authentication in an HTTP client or any configurations you need to allow you to fetch resources from NetSuite API.

What to Do When the Current Pair of Certificates is Expiring

  1. Create a new pair of certificates
  2. Create a new Client Credentials (M2M) Setup as described in the previous section. Choose the same entity, role, and application as the same as previous one created but this time, upload the newly created certificate.
  3. In the Alumio dashboard, update the private key of the HTTP authentication with the newly created private key.
  4. Save the HTTP authentication.

Alumio will then use the new private key to retrieve the token from NetSuite when the current access token expires.