Skip to content

NetSuite OAuth 2.0: Complete Setup Guide for Integration Applications

Learn how to configure OAuth 2.0 on your NetSuite integration record — including grant types, redirect URIs, scopes, public clients, and consent policies. For the initial integration record setup, see our Integration Record Guide.

Prerequisites

  • Integration Record: You must have already created an integration record. See the Integration Record Guide
  • Permission: Administrator role or Integration Application permission

Why OAuth 2.0?

OAuth 2.0 is the industry-standard authorization framework and NetSuite's recommended method for all new integrations. It offers two powerful grant types:

  • Authorization Code Grant — For user-interactive flows where a user authorizes the application through a browser-based consent screen. Best for applications where users log in.
  • Client Credentials (Machine-to-Machine) Grant — For server-to-server automation without user interaction. Best for background processes, scheduled jobs, and system integrations.
💡 Tip: You can enable both grant types on the same integration record. This gives your application flexibility to use whichever flow is appropriate for each use case.
Featured Oauth 2.0
OAuth 2.0 — The recommended authentication method for NetSuite integrations

Configuring OAuth 2.0 on the Integration Record

Once you've created your integration record, configure the OAuth 2.0–specific options on the Authentication subtab.

📍 Navigation: Setup > Integration > Manage Integrations > [Your Record] > Authentication subtab

Oauth2.0 Sub
Authentication subtab — OAuth 2.0 configuration options

Step 1: Choose Your Grant Type(s)

  1. Check Authorization Code Grant for user-interactive flows
  2. Check Client Credentials (Machine to Machine) Grant for server-to-server automation
  3. You can check both if your application needs both flows
Grant Type
Grant type checkboxes

Step 2: Configure Redirect URI (Authorization Code Grant)

  1. Enter one or more valid Redirect URIs for your application
  2. Must use https:// or a custom URL scheme (e.g., myapp://callback)
  3. The http:// scheme is NOT supported — transport layer security is required
  4. URIs are validated when you save the record
  5. For example, if you're connecting NetXcel, enter: https://netxcel.maayins.com/taskpane.html#/oauth-callback
Redirect Url
Redirect URI configuration

Step 3: Select API Scopes

  1. Check RESTlets if your application accesses RESTlets
  2. Check REST Web Services if your application accesses SuiteTalk REST APIs
  3. Check SuiteAnalytics Connect if your application needs SuiteAnalytics access
  4. Check NetSuite AI Connector Service if your application needs MCP Tools access
⚠️ Warning: When using the NetSuite AI Connector Service scope, the following must be cleared: all other scope boxes (RESTlets, REST Web Services, SuiteAnalytics Connect), all Token-Based Authentication boxes, all Client Credentials boxes, and the Client Credentials (Machine to Machine) Grant box.
Api Scopes
API scope checkboxes

Step 4: Configure Public Client (Optional)

  1. Check the Public Client box if distributing the integration outside your account
  2. Public clients don't include the client secret (which must remain confidential)
  3. Configure Refresh Token Validity (default: 48 hours, range: 1–720 hours)
  4. Configure Maximum Time For Token Rotation (default: 168 hours, range: 1–720 hours)
  5. Optionally check Dynamic Client Registration if clients need to register without knowing their client ID
📝 Note: The Client Credentials (Machine-to-Machine) Grant does NOT support public clients. Public client settings only apply to the Authorization Code Grant flow.

Step 5: Configure Consent Policy & Branding (Optional)

Select an OAuth 2.0 Consent Policy:

Policy Behavior
Always Ask Default. The consent screen appears every time the OAuth 2.0 code grant flow is initiated.
Never Ask Consent screen is skipped entirely. The integration is auto-approved by the administrator. Not available for NetSuite AI Connector Service scope.
Ask First Time Consent screen appears only on the first authorization. Reappears if scopes change or the system can't determine the user's role/account.

Optional branding fields:

  • Application Logo — JPEG, PNG, or GIF from your File Cabinet
  • Application Terms of Use — PDF from your File Cabinet
  • Application Privacy Policy — PDF from your File Cabinet
Policy
Consent Policy and optional branding fields

Saving & Capturing Your Credentials

After configuring all OAuth 2.0 settings, click Save. The confirmation page displays your Client ID and Client Secret.

Oauth2.0 Confirmation
Confirmation page — Client ID and Client Secret displayed only once
⚠️ Warning: The Client ID and Client Secret are displayed ONLY ONCE. If you navigate away without copying them, you'll have to reset the credentials on the Integration page, which invalidates the previous values. Treat them like passwords and store securely.

OAuth 2.0 Credentials Summary

Credential Source When Generated
Client ID Integration Record When you save the integration record
Client Secret Integration Record When you save the integration record
Access Token OAuth 2.0 Flow Programmatically via the authorization or client credentials flow
Refresh Token OAuth 2.0 Flow Returned with the access token (authorization code grant only)

Complete OAuth 2.0 Field Reference

Here's a complete reference of every OAuth 2.0 field on the Authentication subtab:

Field Description
Authorization Code Grant Enables the OAuth 2.0 authorization code flow for user-interactive integrations.
Redirect URI The URI your application redirects to after authorization. Must use https:// or a custom scheme. HTTP is not supported. Example: https://netxcel.maayins.com/taskpane.html#/oauth-callback
Public Client For distributed integrations where client secret confidentiality can't be guaranteed. Enables refresh token rotation settings.
Refresh Token Validity How long refresh tokens remain valid (1–720 hours, default: 48). Public clients only.
Max Time For Token Rotation How long before users must reauthenticate (1–720 hours, default: 168). Public clients only.
Dynamic Client Registration Allows clients to register without knowing their client ID. Requires Public Client. Returns client ID via matching redirect URI.
Client Credentials Grant Enables machine-to-machine authentication without user interaction. Cannot be used with Public Client.
RESTlets Scope for accessing RESTlets.
REST Web Services Scope for accessing SuiteTalk REST APIs.
SuiteAnalytics Connect Scope for accessing SuiteAnalytics Connect.
NetSuite AI Connector Service Scope for accessing MCP Tools via the AI Connector Service. When used, all other scope boxes, all TBA boxes, all Client Credentials boxes, and the Client Credentials (Machine to Machine) Grant must be cleared.
Consent Policy Controls consent screen behavior: Always Ask (default), Never Ask, or Ask First Time.

Related Posts

🔗 How to Create a NetSuite Integration Record
The essential first step before configuring any authentication method.

🔗 NetSuite TBA: Complete Setup & Token Management Guide
Step-by-step walkthrough of TBA configuration and token lifecycle management.

Ready to connect NetSuite to your spreadsheets?

NetXcel supports both TBA and OAuth 2.0 to pull live NetSuite data into Excel and Google Sheets.

Learn more at maayins.com
, ,