ml-connector
Oracle NetSuiteBasware

Oracle NetSuite and Basware integration

Oracle NetSuite is the ERP and ledger of record. Basware handles invoice receipt, coding, matching, and approval before anything reaches the books. Connecting the two means an approved Basware invoice posts into NetSuite as a vendor bill without re-keying, and the transfer is confirmed back to Basware so its status stays accurate. NetSuite vendor records and GL accounts flow the other way so the coding panel in Basware only offers values that exist in the ledger. ml-connector handles the different authentication on each side and moves the records on the cadence you set.

How Oracle NetSuite works

Oracle NetSuite exposes vendors, vendor bills, purchase orders, vendor payments, GL accounts, and the department, class, and location dimensions through SuiteTalk REST Web Services, with SuiteQL available for bulk reads. The base URL is account-specific, so there is no shared hostname, and the recommended OAuth 2.0 client credentials flow is certificate-based: the connector signs a JWT with a private key whose public certificate the customer has uploaded, and tokens last 60 minutes with no refresh token. NetSuite can push create and edit events through Event Subscriptions, but those events carry no HMAC signature, so reads are normally done by polling with an IP allowlist on the listener.

How Basware works

Basware exposes accounting documents, purchase orders, vendors, GL accounts, and accounting dimensions through its P2P REST API on a region-specific base URL for EU, US, AU, or CA. Authentication is OAuth2 client credentials, with the client id and secret sent as HTTP Basic auth to the token endpoint and the resulting bearer token used on every call. Vendors, accounts, and dimensions are import endpoints, so the ERP is the system of record and manual edits in the Basware UI are overwritten on the next import. Basware pushes events such as an accounting document waiting for transfer through HMAC-SHA256 signed webhooks, and credentials are provisioned by a Basware consultant rather than self-served.

What moves between them

The main flow runs from Basware into Oracle NetSuite. When Basware finishes coding and approving an invoice it raises an AccountingDocuments event, and ml-connector reads that accounting document, including its header and coding lines, and posts it into NetSuite as a vendor bill with the matching vendor, subsidiary, GL accounts, and cost centers, then calls the Basware transfer response endpoint to mark it transferred. Vendor master data and the chart of accounts flow the other way, from NetSuite into Basware, so the coding panel only offers accounts and suppliers that exist in the ledger. When a vendor payment is recorded in NetSuite, ml-connector confirms it back to Basware through the payment response endpoint, since Basware tracks payment status but never initiates payment itself.

How ml-connector handles it

ml-connector stores both credential sets encrypted. For NetSuite it signs a JWT with the customer private key on each token request and refreshes the 60 minute token when a call returns 401, and it accepts the full account-specific host since NetSuite has no shared base URL. For Basware it sends the client id and secret as Basic auth to the regional token endpoint and reuses the bearer token until it expires. Inbound Basware webhooks are verified against the X-BWAPI-Signature-256 header, parsing the body as UTF-8 and rejecting stale timestamps, while a scheduled poll backfills anything a webhook missed. Basware paginates with a continuation token returned in a response header that must be sent back as a request header, so paging is handled in code rather than as a query parameter. Each posted vendor bill carries an externalId so a retry upserts rather than duplicating, vendors and GL accounts are aligned before invoices move so every coding line lands on a valid NetSuite account, and a 429 from either side triggers backoff with jitter. Every record keeps a full audit trail and can be replayed if a post fails.

A real-world example

A mid-sized manufacturer with around 600 staff runs Oracle NetSuite OneWorld across three subsidiaries for finance and inventory and routes every supplier invoice through Basware for coding and approval. Before the integration, an AP clerk waited for invoices to clear approval in Basware, then re-keyed each one into NetSuite as a vendor bill, picking the subsidiary, GL account, and cost center by hand, which was slow and produced posting errors that surfaced at month-end. With Oracle NetSuite and Basware connected, an approved invoice posts into NetSuite as a vendor bill automatically with the coding Basware already captured, the transfer is confirmed back to Basware, and vendor and account changes in NetSuite keep the Basware coding panel current. The clerk reviews exceptions instead of typing every bill.

What you can do

  • Post approved Basware accounting documents into Oracle NetSuite as vendor bills with their existing coding.
  • Confirm each transfer back to Basware so its document status reflects the NetSuite posting.
  • Push NetSuite vendor master data and the chart of accounts into Basware so coding panels stay valid.
  • Confirm NetSuite vendor payments back into Basware through its payment response endpoint.
  • Bridge the NetSuite certificate-signed JWT and the Basware OAuth2 bearer token, with retries and a full audit trail.

Questions

Which direction does data move between Oracle NetSuite and Basware?
Approved invoices move from Basware into Oracle NetSuite as vendor bills, and the transfer is confirmed back to Basware afterward. Vendor master data and GL accounts move the other way, from NetSuite into Basware, so coding only uses values that exist in the ledger. When NetSuite records a vendor payment, ml-connector confirms it back to Basware, because Basware tracks payment status but does not initiate payment.
How does the integration handle NetSuite certificate authentication and Basware credentials?
NetSuite uses a certificate-based OAuth 2.0 client credentials flow, so ml-connector signs a JWT with the customer private key on each token request and refreshes the 60 minute token when it expires. Basware uses OAuth2 client credentials sent as HTTP Basic auth to a region-specific token endpoint. Both credential sets are stored encrypted, and the Basware credentials must be provisioned by a Basware consultant rather than self-served.
What stops a duplicate vendor bill if a Basware webhook is delivered twice?
Every vendor bill is posted to NetSuite with an externalId, so a repeated post upserts the existing record instead of creating a second bill. Basware can also redeliver a webhook, so each notification is verified by its HMAC-SHA256 signature and treated as idempotent. A scheduled poll backfills any document a webhook missed, and any failed post can be replayed from the audit trail.

Related integrations

More Oracle NetSuite integrations

Oracle NetSuite and Adobe CommerceOracle NetSuite and ADPOracle NetSuite and AdyenOracle NetSuite and AirbaseOracle NetSuite and Amazon Seller CentralOracle NetSuite and AnaplanOracle NetSuite and SAP AribaOracle NetSuite and AsanaOracle NetSuite and AvalaraOracle NetSuite and AvidXchangeOracle NetSuite and BambooHROracle NetSuite and BigCommerce

Other systems that connect to Basware

Acumatica and BaswareDATEV and BaswareDeltek and BaswareMicrosoft Dynamics 365 Business Central and BaswareMicrosoft Dynamics 365 F&O and BaswareMicrosoft Dynamics GP and BaswareMicrosoft Dynamics NAV and BaswareEpicor Kinetic and BaswareExact Online and BaswareFreshBooks and BaswareIFS Cloud and BaswareInfor CloudSuite and Basware

Connect Oracle NetSuite and Basware

Free to use. Add your credentials, ping your real systems, and see if we fit.

Get started