NetSuite
Org-level connection
NetSuite is connected once at the org level by an admin. The credential is shared across all groups that have been granted access — individual team members don't need to connect their own accounts.
How to connect
OAuth 2.0 (recommended):
Enter your Account ID above (Setup → Company → Company Information → Account ID)
In NetSuite, go to Setup → Integration → Manage Integrations → New
Enable Authorization Code Grant under the OAuth 2.0 subtab, check REST Web Services, and add On Belay's redirect URI
Save — copy the auto-generated Client ID, then add a Client Secret under Credentials
Paste the Client ID and Client Secret below, then click "Connect with OAuth"
Token-Based Auth (TBA):
For a complete step-by-step TBA walkthrough — including how to enable TBA at the account level, configure role permissions, create an Integration Record, and generate an Access Token — see the On Belay NetSuite TBA Setup Guide at:
https://github.com/Junto-Systems/onbelay/blob/main/docs/onbelay-platform/netsuite-tba-setup.md
Quick summary:
Enable Token-based Authentication and REST Web Services under Setup → Company → Enable Features → SuiteCloud tab
Assign your role the REST Web Services, Token-based Authentication, and Log in using Access Tokens permissions (Setup → Users/Roles → Manage Roles)
Create an Integration Record (Setup → Integration → Manage Integrations → New) with Token-based Authentication checked — copy the Consumer Key and Consumer Secret shown once on save
Create an Access Token (Setup → Users/Roles → Access Tokens → New) selecting the integration, user, and role — copy the Token ID and Token Secret shown once on save
Find your Account ID at Setup → Company → Company Information
Enter Account ID above, leave Client ID blank, and fill in Consumer Key, Consumer Secret, Token ID, and Token Secret below — then click "Connect with TBA"
Ready to connect?
Go directly to the integrations page in your dashboard.
Permissions (scopes)
These are the data scopes On Belay can be granted for NetSuite. Your org admin controls which scopes are enabled per group.
| Scope | Description | Access |
|---|---|---|
customers:read | Read customers | Read only |
customers:write | Create/update customers | Read / Write |
sales_orders:read | Read sales orders | Read only |
sales_orders:write | Create/update sales orders | Read / Write |
purchase_orders:read | Read purchase orders | Read only |
purchase_orders:write | Create/update purchase orders | Read / Write |
invoices:read | Read invoices | Read only |
invoices:write | Create/update invoices | Read / Write |
inventory:read | Read inventory & items | Read only |
inventory:write | Update inventory & items | Read / Write |
vendors:read | Read vendors | Read only |
vendors:write | Create/update vendors | Read / Write |
employees:read | Read employees | Read only |
financials:read | Read financial transactions & GL | Read only |
reports:read | Run saved searches & reports | Read only |
suiteql:read | Execute SuiteQL queries | Read only |
Troubleshooting
"redirect_uri_mismatch" error during OAuth
Your OAuth app's authorized redirect URIs don't include the On Belay callback URL. Add https://app.onbelay.ai/api/oauth-callback/netsuite to the allowed redirect URIs in your OAuth app settings.
"invalid_scope" error
The API or scope isn't enabled in your cloud project. For Google integrations, make sure the relevant API (e.g., Google Ads API, Search Console API) is enabled in Google Cloud Console for your project.
Connected but Claude can't access data
Check that your group has been granted access to this integration in On Belay → Groups → [your group] → Integrations. Also verify the specific scopes your group is permitted to use match what your query requires.
Still stuck? We're happy to help.
Contact support →