NetSuite API Secrets: A Secret Worth Sharing

In the digital age, safeguarding sensitive information is critical, especially when dealing with APIs and integrations that can access business data. NetSuite's API Secrets provide a solution for securely managing digital credentials such as hashes, passwords, and keys in NetSuite. This blog post expands NetSuite’s API Secrets, explores why they are crucial, and how you can effectively use them in your NetSuite environment for your API and integration needs. 

What are NetSuite API Secrets? 

NetSuite API Secrets is a feature that allows for secure storage and management of sensitive data related to digital authentication credentials.  

In NetSuite, administrators can access API Secrets under Setup > Company > API Secrets. API Secrets allow users to securely store up to 1,000,000 characters of sensitive data, which includes passwords, keys, and other critical authentication information. This prevents the need to store sensitive information in plaintext, for example in scripts or UI field, which can be accessed by unauthorized users.

The use of API Secrets in SuiteScripts is exclusive to SuiteScript 2.x APIs (server scripts only). 

Why Use NetSuite API Secrets? 

Security breaches are frequently the result of exploiting weak or poorly managed digital credentials. A common vulnerability arises when sensitive integration data is stored in plaintext or unencrypted formats. NetSuite's API Secrets feature counters this risk by providing a secure vault for storing these credentials. This allows authorized users to manage their integration needs without exposing sensitive information as plaintext.

By using NetSuite’s API Secrets feature, your business can minimize the risk of data breaches through unauthorized access to credentials. 

How to Use NetSuite API Secrets? 

The first step is to create a new API Secret:

1. Navigate to Setup > Company > API Secrets

   
   

   

   
   

2. Click on the “Create New” button.

3. Enter a name for your API Secret.

4. Enter an ID for your API Secret. Choose an ID that is descriptive of what your API Secret is useful for. Any ID you enter will be saved with the “custsecret” prefix.

5. In the “Password” field enter the hash, password, key, or another type of secret that you wish to store securely.

   1. Note: you can alternatively upload your passwords from a file, using the “File” field. Multi-line secrets must be loaded from a file.

6. Re-enter this information in the “Confirm Password” field.  

7. Optionally, you can set a date for when the token will expire in the “Expiration Warning” field. This has no effect on the actual expiration of the token, and is mainly useful to show a visual reminder that the token is about to expire.

   
   

   

   

8. In the “Description” field, enter a description of this API Secret. Do not use sensitive or private information, as this is shown to users who view the saved API Secret and on the list of API Secrets.

9. Click on the “Restrictions” tab. 

10. You can optionally check the “Available To SuiteApp” checkbox to reference this API Secret from a specified SuiteApp. 

11. On the “Owners” field, you can specify the users that can access or modify this API Secret once it has been saved. 

12. You can select the users that are allowed to reference the secret using SuiteScript, on the “Restrict to Employees” field.

13. You can either select the “Allow for All Scripts” checkbox to allow any script in this account to access this API Secret using SuiteScript 2.x. 

    1. Alternatively, you can specify the scripts that can access this API Secret by entering the Internal IDs of the Script record(s) on the “Restrict to Scripts” field. (Note: Separate multiple script IDs with commas.) 

14. If you wish to allow this API Secret to be used with any domain, check the “Allow For All Domains” checkbox.

    1. Alternatively, in the “Restrict To Domains” field, enter the domains where the API Secret passwords can be sent (this is applicable to SFTP and HTTPS only). Separate multiple domains with commas.

15. Click Save.

⚠️Please note that you once you save the API Secret, you can no longer view, copy or log the secret. Ensure that you store it securely somewhere else if you expect to potentially need them again in the future.

Referencing an API Secret in a SuiteScript 2.x (server script)

To use the API Secret password that you just created in a SuiteScript 2.x server script, use the https.createSecureString function available from the ‘N/https’ module. Ensure you add curly braces in the input string.

In the example above, the testPassword constant will hold the API Secret’s password as a secure string. You and other users will not be able to view or log that string. You can however use testPassword to send your credentials on https requests, as demonstrated below:

/**
 * @NApiVersion 2.1
 * @NScriptType UserEventScript
 */
define(['N/https'], (https) => {
    const afterSubmit = (scriptContext) => {
        const testPassword = https.createSecureString({
            input: '{custsecret_sf_integration}'
        });

        let options = {};

        const headersObj = {
            'Content-Type': 'application/json',
            'X-API-Key': testPassword
        };

        const requestBody = {sampleBody: 'This is a test request'};

        options = {
            requestBody: JSON.stringify(requestBody),
            headers: headersObj
        };

        https.post({
            headers: options.headers,
            body: options.requestBody,
            url: 'https://mytestdomain.com'
        });
    };

    return {afterSubmit};
});

For more details on API Secrets, you can refer to NetSuite’s documentation below: 

• Secrets Management

• https.createSecretKey(options)

If your company is in need of NetSuite support, we'd love to hear from you. Fill out this brief form and our team will reach out to you right away!