NetSuite

ERP

system_type: "netsuite"

Proxy NetSuite SuiteQL and REST API calls with PQC-sealed OAuth2 credentials.

Overview#

The NetSuite connector proxies calls to the NetSuite REST API and SuiteQL endpoint. OAuth2 client credentials (with the NetSuite-specific token-based authentication flow) are sealed in QuantaVault. SuiteQL queries and record CRUD operations are supported.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_...

Prerequisites#

1A NetSuite account with REST Web Services and SuiteQL features enabled
2An Integration record in NetSuite with OAuth2 enabled; note the client_id and client_secret
3An access token for the integration or the ability to use the client_credentials flow
4A QuantaSeal API key

Configuration#

Follow these steps to connect NetSuite to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In NetSuite, go to Setup → Integrations → Manage Integrations → New. Enable Token-Based Auth and note the credentials.
2
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client.
3
Create the integration: POST /api/v2/integrations with system_type: netsuite and your NetSuite account ID.

Authentication Types#

NetSuite uses a custom OAuth2 flow with token-based authentication (TBA). Store client_id and client_secret as oauth2_client in QuantaVault. QuantaSeal handles the token exchange automatically.

OAuth2 ClientAPI Key

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`suiteql`	Execute a SuiteQL query.
`get_record`	Retrieve a record by type and internal ID.
`create_record`	Create a NetSuite record.
`update_record`	Update a NetSuite record.
`delete_record`	Delete a NetSuite record.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_01HZ9X2K4MNPQRNETSUITE001",
    "operation": "suiteql",
    "payload": {
      "q": "SELECT id, companyName, email FROM customer WHERE subsidiary = 1 LIMIT 10"
    }
  }'

# Response - HybridCryptoEnvelope
{
  "success": true,
  "encrypted": {
    "ciphertext_kem":  "<base64 - 1088 bytes ML-KEM-768>",
    "ciphertext_data": "<base64 - AES-256-GCM encrypted NetSuite response>",
    "nonce":           "<base64 - 12 bytes>",
    "tenant_id":       "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "<base64 - ~3309 bytes ML-DSA-65>",
    "hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
    "tenant_id":      "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  },
  "audit_event_id": "aud_01HZ9XABCDEF"
}

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

OAUTH_APPLICATION_NOT_FOUND

The Integration record in NetSuite is inactive or the client_id is incorrect. Verify the Integration record status in Setup → Integrations.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference