Platform
Chatbot Builder Bulk Messaging Team Inbox Mini CRM API & Webhooks AI Integration WhatsApp Flows
Industries
E-commerce & D2C Real Estate Education Healthcare Finance & BFSI Logistics Hospitality Retail
Integrations
Learn
Learning Hub Help & Docs Connect Guides Automation Codex Blog Message Templates
Pricing Get Started →
HomeConnect › Connect NetSuite to WhatsApp
Oracle NetSuite Integration Guide · ERP / Enterprise

Connect Oracle NetSuite to WhatsApp

Query live customer data from your NetSuite ERP in a WhatsApp chatbot. This guide covers NetSuite's authentication options, the SuiteQL query approach, and the recommended middleware pattern for the simplest production-ready integration.

Published 22 June 2026  ·  10 min read  ·  ERP / Enterprise

Before following this guide, read the External API Request step foundation guide. It covers every field in the step interface so this guide can focus on NetSuite-specific values.

NetSuite requires IT or developer involvement

NetSuite is an enterprise ERP, not a developer-first SaaS. Every integration path requires an Administrator to create an Integration Record in NetSuite. The most common authentication method (TBA/OAuth 1.0a) also requires a cryptographically signed request header that standard HTTP tools cannot generate without custom code. Read this guide fully before starting. The RESTlet middleware approach is often the simplest path for most teams.

Two integration paths: choose one

NetSuite offers two practical authentication methods for external integrations. Here is an honest comparison:

MethodComplexityWho does itBest for
OAuth 2.0 + SuiteQLHigh: IT admin setup + dev involvementNetSuite admin + developerTeams already using OAuth 2.0 tools, greenfield integrations
RESTlet (middleware)Medium: write once in SuiteScriptNetSuite developer (write once)Quickest path to a working WhatsApp bot, recommended for most teams
TBA (OAuth 1.0a)Very high: signed headers per-requestDeveloper onlyLegacy integrations; avoid for new builds, being phased out

This guide covers Path A (OAuth 2.0 + SuiteQL) and Path B (RESTlet middleware). TBA is noted for reference but not recommended for new builds.

Prerequisites (both paths)

Before either path, your NetSuite admin completes these steps:

1
Find your NetSuite Account ID: Setup > Company > Company Information > Account ID. It is a 6-7 digit number (e.g. 1234567). It also appears in your URL: 1234567.app.netsuite.com.
2
Go to Setup > Integration > Manage Integrations > New. Give it a name like "WA.Expert WhatsApp Bot". Choose your auth type (OAuth 2.0 for Path A, no special setting for Path B).
3
Create a dedicated NetSuite role with read permission for Customer records (or the records you need). Assign this role to the integration's user.
Your NetSuite URL identifies your account ID

Your NetSuite instance URL follows the pattern https://ACCOUNT_ID.app.netsuite.com. The API base URL is https://ACCOUNT_ID.suitetalk.api.netsuite.com/services/rest. All sandbox accounts append _SB1 to the account ID but use a hyphen in the URL: ACCOUNT_ID-sb1.

Path A: OAuth 2.0 + SuiteQL (recommended for new builds)

OAuth 2.0 requires your IT team to complete an authorization code flow once to get a Bearer token and refresh token. After that, WA.Expert's External API Request step can call NetSuite directly.

Path A — Get OAuth 2.0 access token (done by IT team, once)
1. In Integration Record (Setup > Integration > Manage Integrations):
   Enable OAuth 2.0, set callback URL, note Client ID and Client Secret.

2. Direct the NetSuite admin to authorise at:
   https://ACCOUNT_ID.app.netsuite.com/app/login/oauth2/authorize.nl
     ?client_id=YOUR_CLIENT_ID
     &response_type=code
     &redirect_uri=YOUR_CALLBACK_URL
     &scope=rest_webservices
     &state=RANDOM_STRING

3. After admin approves, exchange the code for tokens:
   POST https://ACCOUNT_ID.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token
   Content-Type: application/x-www-form-urlencoded
   Body:
     grant_type=authorization_code
     &client_id=YOUR_CLIENT_ID
     &client_secret=YOUR_CLIENT_SECRET
     &redirect_uri=YOUR_CALLBACK_URL
     &code=AUTHORISATION_CODE

4. Response:
   { "access_token": "...", "refresh_token": "...", "expires_in": 3600 }

Store the access_token and refresh_token.
Refresh using refresh_token before the 1-hour expiry.

Query customers with SuiteQL

Once you have a Bearer token, add an External API Request step in WA.Expert. SuiteQL queries are sent as POST requests with a JSON body:

External API Request Step — WA.Expert (Path A)
Select Method
POST
Request URL
https://ACCOUNT_ID.suitetalk.api.netsuite.com/services/rest/query/v1/suiteql
Header Parameters
AuthorizationBearer YOUR_NETSUITE_ACCESS_TOKEN
Content-Typeapplication/json
Prefertransient
Select Body Type
JSON
Body
{"q": "SELECT id, companyName, email, phone FROM customer WHERE phone = '{{customer_phone}}' LIMIT 1"}
Choose Response Type
JSON
The Prefer: transient header is required for SuiteQL

NetSuite's SuiteQL endpoint requires the Prefer: transient header on every POST request. Without it, the API returns a 400 error. This is unique to NetSuite. No other platform in this series requires it.

NetSuite SuiteQL — response
{
  "totalResults": 1,
  "count": 1,
  "hasMore": false,
  "items": [
    {
      "id": "142",
      "companyname": "Sharma Textiles Pvt Ltd",
      "email": "priya@sharma.com",
      "phone": "9820000001"
    }
  ],
  "offset": 0
}

Map: items[0].companyname, items[0].email, items[0].phone
SuiteQL field names are lowercase

NetSuite SuiteQL returns field names in lowercase regardless of how they appear in the UI. companyName in the UI becomes companyname in the API response. Map as items[0].companyname (all lowercase).

Path B: RESTlet middleware (recommended for most teams)

A RESTlet is a custom script you deploy inside NetSuite that exposes a simple HTTP endpoint. Your NetSuite developer writes it once, typically 30 lines of SuiteScript. After deployment, WA.Expert calls it with a plain API key you define, and the RESTlet handles all the NetSuite querying internally.

Path B — RESTlet concept (your NetSuite developer writes this once)
What your NetSuite developer deploys:

A SuiteScript 2.x RESTlet at a URL like:
  https://ACCOUNT_ID.restlets.api.netsuite.com/app/site/hosting/restlet.nl
    ?script=SCRIPT_ID&deploy=DEPLOY_ID&apikey=YOUR_SIMPLE_KEY&phone=PHONE_NUMBER

The RESTlet internally:
1. Validates the simple apikey
2. Queries res.customer WHERE phone = phone_param
3. Returns clean JSON: { "name": "...", "email": "...", "city": "..." }

What WA.Expert calls (simple, no OAuth required):
GET https://ACCOUNT_ID.restlets.api.netsuite.com/app/site/hosting/restlet.nl
  ?script=123&deploy=1&apikey=MY_SIMPLE_KEY&phone={{customer_phone}}
Authorization: NLAuth nlauth_account=ACCOUNT_ID,nlauth_email=USER@COMPANY.COM,
               nlauth_signature=PASSWORD,nlauth_role=ROLE_ID

Note: NLAuth uses the NetSuite admin's email + password in the header.
This is simpler than OAuth 1.0a TBA but still requires setup.
Ask your NetSuite admin for the NLAuth header values.
Why RESTlets are often the practical choice

Your NetSuite developer writes the RESTlet once and controls what data it exposes. WA.Expert's External API Request step then calls a clean simple endpoint. No per-request OAuth 1.0a signature generation. No token expiry to manage. One API call per chatbot lookup.

SuiteQL reference for common lookups

What you wantSuiteQL query
Customer by phoneSELECT id, companyName, email, phone FROM customer WHERE phone = '9820000001' LIMIT 1
Customer by emailSELECT id, companyName, phone FROM customer WHERE email = 'priya@example.com' LIMIT 1
Customer by company nameSELECT id, companyName, email FROM customer WHERE companyName LIKE '%Sharma%' LIMIT 10
Latest sales order for customerSELECT id, tranDate, status, total FROM transaction WHERE type = 'SalesOrd' AND entity = '142' ORDER BY tranDate DESC LIMIT 1
Open invoices for customerSELECT id, dueDate, amountRemaining FROM transaction WHERE type = 'CustInvc' AND entity = '142' AND status = 'open'

In SuiteQL, 'customer' is the internal table name. 'entity' is the customer's internal ID. Field names return lowercase in the response. NetSuite's internal IDs are numeric strings.

Troubleshooting

SymptomLikely causeFix
400 on SuiteQL endpointMissing Prefer: transient headerAdd Prefer: transient as a header on the SuiteQL POST request.
401 UnauthorizedInvalid or expired access tokenRefresh the OAuth 2.0 token using your refresh_token. Tokens expire after 1 hour.
403 ForbiddenIntegration role lacks read permissionIn NetSuite, go to the role assigned to the integration user and add Customer > View permission.
Empty items arrayCustomer not found or phone format mismatchTry the query with just a partial phone number or check how NetSuite stores phone numbers (with/without country code, spaces, dashes).
Account ID format errorSandbox IDs use hyphen, not underscoreSandbox account ID in URL: 1234567-sb1 (hyphen). In some forms NetSuite uses 1234567_SB1 (underscore). Use hyphen in API URLs.
Integration Record not visibleInsufficient NetSuite permissionsCreating Integration Records requires the Administrator role in NetSuite. Ask your NetSuite admin.

Common questions

Why is NetSuite harder to integrate than HubSpot or Salesforce?
+
NetSuite's legacy TBA uses OAuth 1.0a with cryptographically signed headers per-request. Even OAuth 2.0 requires admin setup. NetSuite was built as enterprise ERP, not a developer-first API. However, once set up, the SuiteQL query interface is powerful and flexible.
What is SuiteQL?
+
SuiteQL is NetSuite's SQL-like query language, exposed via POST /services/rest/query/v1/suiteql. You write SELECT queries against NetSuite's internal tables (customer, transaction, etc.) and get JSON back. It is the recommended read layer for modern integrations.
What is an Integration Record in NetSuite?
+
A configuration that defines an external app connecting to your account, providing Client ID and Secret. Go to Setup > Integration > Manage Integrations > New. Requires Administrator role.
What is the NetSuite account ID?
+
Your unique NetSuite subscription ID, found at Setup > Company > Company Information. It appears in your URL: ACCOUNT_ID.app.netsuite.com.
Is there a simpler way?
+
Yes. The RESTlet middleware approach. A NetSuite developer writes a simple SuiteScript endpoint once. WA.Expert calls it with a plain key, no OAuth signature needed. Recommended for most teams without dedicated integration infrastructure.
Does this incur extra WA.Expert charges?
+
The External API Request step counts as one automation action per call. On the Complete plan this is included. On Starter, extra action packs apply from Rs. 49 per 1,000 actions.

Connect NetSuite to WhatsApp today

Free trial, no credit card required. And if you ever get stuck, we are the only platform in India that answers you live on WhatsApp.

Start Free Trial → Book a Demo
1