In the digital age, safeguarding sensitive information is paramount, especially when dealing with APIs and integrations that can access a broad array of business data. NetSuite's API Secrets provide a solution for securely managing digital credentials such as hashes, passwords, and keys in NetSuite. This blog post expands NetSuite’s API Secrets, explores why they are crucial, and how you can effectively use them within your NetSuite environment for your API and integration needs.
What are NetSuite API Secrets?
NetSuite API Secrets are a feature that allows for secure storage and management of sensitive data related to digital authentication credentials such as passwords and API keys that are used to access integration endpoints securely.
In the NetSuite platform, you can access API Secrets under Setup > Company > API Secrets. API Secrets allows users to securely store up to 1,000,000 characters of sensitive data, which includes passwords, keys, and other critical authentication information. This prevents the need to store sensitive information in plaintext, particularly in scripts and NetSuite’s UI field such as script parameters, which can be accessed by unauthorized users.
The use of API Secrets in SuiteScripts is exclusive to SuiteScript 2.x APIs (server scripts only).
Why Use NetSuite API Secrets?
Security breaches are frequently the result of exploiting weak or poorly managed digital credentials. A common vulnerability arises when sensitive integration data is stored in plaintext or unencrypted formats in UI fields or scripts. NetSuite's API Secrets feature counters this risk by providing a secure vault for storing these credentials. This allows authorized users to manage their integration needs without exposing sensitive information as plaintext.
By using NetSuite’s API Secrets feature, your businesses can minimize the risk of data breaches through unauthorized access to credentials.
How to Utilize NetSuite API Secrets?
Create a new API Secret:
Navigate to Setup > Company > API Secrets
Click on the “Create New” button (see screenshot below)
Enter a name for your API Secret
Enter an ID for your API Secret. Try to choose an ID that is descriptive of what your API Secret is useful for. Any ID you enter will be saved with the “custscript” prefix.
In the “Password” field enter the hash, password, key, or another type of secret that you wish to store securely.
Re-enter this information identically on the “Confirm Password” field.
Please note that you cannot view your saved passwords on API Secrets later on, so ensure to store them securely somewhere else if you expect to potentially need them again in the future.
(Note: you can alternatively upload your passwords from a file, using the “File” field. Multi-line secrets must be loaded from a file.)
Optionally, you can check the “Expiration Warning” box if you want a warning to be displayed in the UI when the secret is nearing the expiration date.
At the time of writing, NetSuite’s guides do not specify the timeframe for this warning to appear, but our trial and error showed that the warning will appear if the API Secret’s expiry date is less than one month away (see screenshot below).
In the “Description” field, enter a description of this API Secret. Do not use sensitive or private information, as this is shown to users who view the saved API Secret and on the list of API Secrets.
Click on the “Restrictions” tab.
On the “Owners” field, you can specify the users that can access or modify this API Secret once it has been saved.
You can optionally check the “Available To SuiteApp” checkbox to reference this API Secret from a specified SuiteApp.
Alternatively, if you do not select the “Available To SuiteApp”, you can select the users that are allowed to reference the secret using SuiteScript, on the “Restrict to Employees” field.
You can either select the “Allow for All Scripts” checkbox to allow any script in this account to access this API Secret using SuiteScript 2.x.
Alternatively, you can specify the scripts that can access this API Secret by entering their Internal IDs (of the Script records) on the “Restrict to Scripts” field. (Note: Separate multiple script IDs with commas.)
If you wish to allow this API Secret to be sent to any domain, check the “Allow For All Domains” checkbox. Alternatively, in the “Restrict To Domains” field, enter the domains where the API Secret passwords can be sent (this is applicable to SFTP and HTTPS only). Separate multiple domains with commas.
Click Save.
Reference an API Secret on a SuiteScript 2.x (server script)
To use the API Secret password that you just created in a SuiteScript 2.x server script, use the https.createSecureString function available from the ‘N/https’ module.
In the example above, the testPassword constant will contain the API Secret’s password as an https.SecureString format. You and other users will not be able to view the password passed to testPassword. Attempting to print the contents of testPassword (for example by using log.debug) will not reveal the API Secret’s password.
You can however use testPassword to send your credentials on https requests. The screenshot below shows an example of this use case. Please note that the API Secret must either have the “Allow for All Domains” box checked, or the url used in the screenshot below must have been entered in the “Restrict to Domains” field.
/**
* @NApiVersion 2.1
* @NScriptType UserEventScript
*/
define(['N/https'], (https) => {
const afterSubmit = (context) => {
// This assigns the API Secret's password in encrypted format.
const testPassword = https.createSecureString({
input: 'cust_myAPISecret'
});
let options = {};
const headersObj = {
'Content-Type': 'application/json',
'X-API-Key': testPassword
};
const requestBody = {sampleBody: 'This is a test request'};
options = {
requestBody: JSON.stringify(requestBody),
headers: headersObj
};
headers: options.headers,
body: options.requestBody,
url: 'https://mytestdomain.com'
});
};
return {afterSubmit: afterSubmit};
});
Additionally, you can refer to NetSuite’s documentations below:
Secrets Management:
https.createSecretKey(options):
If your company is in need of NetSuite support, we'd love to hear from you. Fill out this brief form and our team will reach out to you right away!
Comments