When you deploy a Restlet, you receive an External URL. Incorporate that URL into Token based authentication and you are good to call your new Restlet from any external application. So why is my external application getting a 403 Forbidden? I’ve forgotten this fact several times in the past, so I’m writing it down now in a place where I can’t miss it!

When you deploy your Restlet, it looks something like this. I’ve removed our account number since you will be using your own. In addition, I’ve highlighted the external URL which we’ll look at again below.

This URL will probably end up in either an app.config or a web.config. It will look something like this. Again, I’ve removed all of our secret stuff. You’ll use your own. It’s the baseURL parameter that we’re looking at.

If you look closely, you’ll see a red squiggly underline under  “&deploy=1“. This won’t compile. So every time I see this I replace the ampersand with a %26. WRONG!

Don’t ask me why this is, but the solution is to replace the ampersand with “&“. You got it… another ampersand! This is completely illogical! However, after making this change, not only will it compile and run, but the 403 error goes away too.

And now I’ll remind myself yet again… LOOK HERE BEFORE READING ALL THE NETSUITE DOCUMENTATION ON TOKEN BASED AUTHENTICATION. Don’t assume you messed up the other parameters, like application ID, consumer key, consumer secret, token key or token secret. You pasted them correctly! It’s the URL encoding!

The problem is the same every time for me, the %26 followed by the 403 forbidden. Unfortunately, that 403 is the only legit response when an improperly formatted authorization header is submitted to the server. That header is one big encrypted byte array that includes all the parameters mentioned above, as well as external URL. Yes, the same URL that you just sent your request to gets encrypted into the auth header. So if you have one byte incorrectly encoded, it routes correctly but the auth header is incorrect and… “The pattern is full ghost rider”, 403!