Skip to main content
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Helper V
Helper V

PowerBI NetSuite POST Rest API Create Client_Assertion token

Good Day,

With the help of Netsuite consultants, i manually coping the temp auth token key i can access Netsuite from API

I am trying to generate the authenticaion token, i was informed i need the assertion param value that postman uses as an example


1. The below is the javascript but how do i translate this to powerquery function?


pm.collectionVariables.set('companyId', pm.collectionVariables.get("NSCOMPID"));

var navigator = {}; // necessary as part of "eval" on jsrsasign lib
var window = {}; // necessary as part of "eval" on jsrsasign lib
eval(pm.globals.get("jsrsasign-js")); // grabbing jsrsasign lib, loaded in separate GET 

const cryptojs = require('crypto-js'); // using crypto js for base64 encoding

// Create JWT header
var jwtHeader = {
    alg: 'PS256', // Using PS256, which is one of the algorithms NetSuite supports for client credentials
    typ: 'JWT',
    kid: pm.collectionVariables.get("KID") // Certificate Id on the client credentials mapping

var stringifiedJwtHeader = JSON.stringify(jwtHeader);
console.log('jwtHeader: ' + stringifiedJwtHeader);
// Create JWT payload
var jwtPayload = {
    iss: pm.collectionVariables.get("CONSUMER_KEY"), // consumer key of integration record
    scope: ['restlets','rest_webservices'], // scopes specified on integration record
    iat: (new Date() / 1000),               // timestamp in seconds
    exp: (new Date() / 1000) + 3600,        // timestamp in seconds, 1 hour later, which is max for expiration
    aud: pm.collectionVariables.get("RESTLET_URL")

var stringifiedJwtPayload = JSON.stringify(jwtPayload);
console.log('jwtPayload: ' + stringifiedJwtPayload);
// The secret is the private key of the certificate loaded into the client credentials mapping in NetSuite
var secret = pm.collectionVariables.get("CERTIFICATE_PRIVATE_KEY");
console.log('secret: ' + secret);
var encodedSecret = cryptojs.enc.Base64.stringify(cryptojs.enc.Utf8.parse(secret)); // we need to base64 encode the key

// Sign the JWT with the PS256 algorithm (algorithm must match what is specified in JWT header).
// The JWT is signed using the jsrsasign lib (KJUR)
var signedJWT = KJUR.jws.JWS.sign('PS256',stringifiedJwtHeader,stringifiedJwtPayload,secret);

// The signed JWT is the client assertion (encoded JWT) that is used to retrieve an access token
pm.collectionVariables.set('clientAssertion', signedJWT);



2. Below is my WIP version but im missing the javascript library that postman uses and the KID Param values etc, 


    // Define your client ID and client secret
    clientId = "a0a...",
    clientSecret = "1b3c...",    
    // Construct the assertion payload
    assertionPayload = [
        iss = clientId,
        sub = clientId,
        aud = "", 
        exp = Number.ToText(Number.Round(DateTimeZone.FixedLocalNow() + #duration(0,0,1,0))),
        iat = Number.ToText(Number.Round(DateTimeZone.FixedLocalNow()))

    // Convert the assertion payload to JSON
    assertionPayloadJson = Json.FromValue(assertionPayload),
    // ConvertToBinary
    encodedPayload = Binary.ToText(assertionPayloadJson, BinaryEncoding.Base64),

    // Construct the assertion header
    assertionHeader = [
        alg = "MII...",
        typ = "JWT"

    // Convert the assertion header to JSON
    assertionHeaderJson = Json.FromValue(assertionHeader),    
    // Encode the header to base64    
    encodedHeader = Binary.ToText(assertionHeaderJson, BinaryEncoding.Base64),

    // Concatenate the encoded header, payload, and signature
    assertion = encodedHeader & "." & encodedPayload,

    // Sign the assertion using the client secret
    signedAssertion = assertion & "." & ""



Please Help, Any ideas or links of someone doing this before

Community Support
Community Support

Hi @icassiem 


A Client_Assertion token is typically used in server-to-server authentication scenarios. It's a way for an application (client) to authenticate itself to a server (like Microsoft Entra ID or Azure AD) using a signed JWT token (the assertion) instead of a client secret. This method is more secure and is particularly useful when you want to avoid storing secrets in your application.


Here are links about how to create the token for your reference:

Embed Power BI content in a Power BI embedded analytics application with service principal and a cer...

Generate an embed token in Power BI embedded analytics - Power BI | Microsoft Learn


Best Regards

Zhengdong Xu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi thank you @v-zhengdxu-msft 

Do I have to create an entrai d by registering netsuite api with azure?


I tied something similar where I ussed powerbi api and required reg the api in azure for service principal only for partner and admin struggling for days saying bit was not possible


Is there no other option than reg netsuite with azure?

Helpful resources

Europe Fabric Conference

Europe’s largest Microsoft Fabric Community Conference

Join the community in Stockholm for expert Microsoft Fabric learning including a very exciting keynote from Arun Ulag, Corporate Vice President, Azure Data.

Power BI Carousel June 2024

Power BI Monthly Update - June 2024

Check out the June 2024 Power BI update to learn about new features.


Fabric Community Update - June 2024

Get the latest Fabric updates from Build 2024, key Skills Challenge voucher deadlines, top blogs, forum posts, and product ideas.

Top Solution Authors