Using NetSuite’s Token Based Authentication with SuiteTalk
NetSuite’s OAuth is very different from the standard oauth flow: setting up a user for token based auth is very cumbersome. It requires digging around in the NetSuite GUI, creating roles, and copy/pasting various keys.
Why use token based authentication? The alternative is email + password based authentication. This method works fine, but passwords expire every six months; resetting passwords every six months is a huge pain for a SAAS product that integrates with NetSuite. Plus, email + password auth is much less secure (an attacker can login to the GUI with a email and password).
Here’s a guide to getting setup with token based authentication. Note that you must be using a SuiteTalk API versions greater than 2015_2.
1. Create a Integration Record
The integration record identifies the application in NetSuite’s system.
- Visit the integrations page or global search for
page:integrations - Create a integration record if none exists. After you create the record you will need to copy/paste the consumer key and consumer secret to your secrets file.
- Name: Your-Application-Name
- Authentication: Token-Based Authentication
- State: Enabled
- If the integration record already exists, but you don’t have the consumer key and consumer secret, edit the record, then press “Reset Credentials”.
2. Enable Token Based Authentication
- Setup > Company > Setup Tasks > Enable Features > SuiteCloud > Manage Authentication
- Make sure “Token Based Authentication” is enabled
- Save
If this feature is not enabled, you will not see the permissions required in the next step.
3. Create a Token Role
Strangely enough, the administrator does not have token permissions by default. If you do not create a token role and assign it to your administrator, you will get a "Login access has been disabled for this role." error when creating a token.
- Global search for
page:role, then choose “New Role” - Navigate to “Permissions > Setup” and add the following permissions:
- User Access Token: Full
- Access Token Management: Full
- Web Services: Full
4. Add Token Management Permissions
- Global search for
page:employees - Edit your employee record
- Navigate to “Access > Roles” and add the token auth role you just created
5. Create Access Tokens
- Global search for
page: tokens - New Access Token
- Select the application and role we created earlier, then press save.
- Copy/past the token ID and token secret to your secrets file.s
6. Configure Your Client
Here’s how to setup the netsuite ruby client with token based authentication:
NetSuite.configure do
reset!
account ENV['NETSUITE_ACCOUNT']
consumer_key ENV['NETSUITE_CONSUMER_KEY']
consumer_secret ENV['NETSUITE_CONSUMER_SECRET']
token_id ENV['NETSUITE_TOKEN_ID']
token_secret ENV['NETSUITE_TOKEN_SECRET']
end
Hi Michael,
Have you ever run into issues with Netsuite caching permissions on the token login role? I’m trying to push some data and I’m getting nothing but “Permission Violation: You need the ‘Lists -> Contacts’ permission to access this page.” I added that permission hours ago, but nothing seems to work. If I switch to regular credentials I can push fine.
Hey Derek! Unfortunately I have run into permission cache issues with TBA. It could take minutes to hours (I’ve seen 8+ hours) for a role update to be propagated. More info here: https://mikebian.co/netsuite-suitetalk-user-role-edits-are-delayed/
That is unfortunate. Unbelievable that NS doesn’t provide a way to clear the cache, or even document the behavior in a discoverable way. Thanks for confirming my suspicions, though.
Can you use the same user for multiple access tokens?
Very helpful, thank you!