Hosted by a third party. This MCP server is built and hosted by the
vendor, not Runlayer. This guide covers connecting it through Runlayer for
governance, policies, and audit.
Prerequisites (in NetSuite)
Complete every step below before adding the connector in Runlayer. Use Oracle’s own documentation as the source of truth — screens and permission names vary by NetSuite version.1
Enable required SuiteCloud features
Go to Setup > Company > Enable Features > SuiteCloud and confirm the features required by the NetSuite AI Connector Service are enabled (including Server SuiteScript and OAuth 2.0).Follow Oracle’s guide for the authoritative list: Setting Up the NetSuite AI Connector Service.
2
Grant the required role permissions
Go to Setup > Users/Roles > Manage Roles and edit each role that should be able to use the connector. Under the Permissions > Setup subtab, add the permissions listed in Oracle’s setup guide, including:
- MCP Server Connection
- Log in using OAuth 2.0 Access Tokens — this is a distinct permission from “Log in using Access Tokens”. They look almost identical; the connector requires the OAuth 2.0 variant.
3
Create an integration record for Runlayer
NetSuite auto-provisions integration records for some AI clients (e.g. ChatGPT, Claude Desktop) but does not do this for Runlayer. You must create one manually.Follow Oracle’s guide: Creating an Integration Record for the NetSuite AI Connector Service.When creating the record:
-
Set the Redirect URI (also labeled “callback URL”) to your Runlayer callback, exactly and with no trailing slash:
-
Enable the
mcpscope on the integration record. No other scopes are required. - Copy the Client ID and Client Secret that NetSuite generates — you’ll enter these in Runlayer.
- If you already have multiple NetSuite integration records for other AI clients, avoid duplicates for Runlayer; keep a single, clearly named record for it.
4
Get the MCP server URL for your account
The NetSuite AI Connector Service MCP endpoint is scoped to your NetSuite account and to a specific role. Retrieve the exact URL for your account from Oracle’s NetSuite AI Connector Service documentation.
Setup in Runlayer
1
Add the NetSuite connector
- In Runlayer, go to My connectors, find NetSuite, and click Add connector
- Enter the MCP server URL from the previous step
- Enter the Client ID and Client Secret from your NetSuite integration record
- Click Deploy Server
2
Authorize
- On the server page, click Connect under Missing Authorization
- Sign in to NetSuite as a user who has been granted the role configured above
- If NetSuite prompts you to Choose another role, pick the least-privilege role you configured — not Administrator
Troubleshooting
Work through the checks below in order.tools/list returns 401 after connecting
tools/list returns 401 after connecting
Authorization succeeded, but NetSuite rejected the follow-up request to list tools. This is a permissions issue on the role, not an OAuth issue.Recheck the role’s permissions against the Oracle setup guide and make sure the permissions were added to the exact role the user selected at sign-in.
Redirect URI mismatch
Redirect URI mismatch
NetSuite rejects the callback because it isn’t allowlisted on the integration record.Confirm that the integration record’s Redirect URI matches your Runlayer callback exactly, with no trailing slash:See Oracle’s Creating an Integration Record for the NetSuite AI Connector Service for the setting’s location.
Multiple NetSuite integration records for the same client
Multiple NetSuite integration records for the same client
If your NetSuite account has several integration records for AI clients, users can end up authorizing against the wrong one. Confirm the Client ID and Client Secret you entered in Runlayer belong to the Runlayer-specific integration record, and disable duplicates.
Reference — Oracle documentation
Keep Oracle’s docs as the source of truth for NetSuite-side configuration. These are the pages this guide relies on:- NetSuite AI Connector Service overview
- Setting Up the NetSuite AI Connector Service — features and role permissions
- Creating an Integration Record
- Role permissions reference
- Common OAuth errors (
invalid_grant)
Getting help from NetSuite
If you’ve worked through the troubleshooting section and are still stuck, open a support case with NetSuite Customer Support (via SuiteAnswers or your NetSuite account team). NetSuite can see server-side logs for your account and integration record — including the exact permission or setting that rejected the request — that aren’t visible to Runlayer. Include in the case:- The exact error message and, if visible, the HTTP status and NetSuite error code (e.g.
invalid_grant) - The authorization URL Runlayer opens when you click Connect (copy it from the browser)
- The MCP server URL configured in Runlayer
- The role you selected at sign-in and confirmation that it is not Administrator / a full-permissions role
- Confirmation that the role has every permission listed in Oracle’s Setting Up the NetSuite AI Connector Service guide
- Confirmation that a Runlayer-specific integration record exists with the
mcpscope and the correct Redirect URI