Token-based Authentication (TBA)
NetSuite supports token-based authentication (TBA) a robust, industry standard-based mechanism that increases overall system security. TBA enables client applications to use a token to access NetSuite through APIs, without RESTlets or web services integrations storing user credentials.
You can use only TBA and OAuth 2.0 for RESTlets and web services integrations.
OAuth 2.0 cannot be used with SOAP web services. For more information, see OAuth 2.0.
Two-factor authentication (2FA) is not compatible with integrations. When using any 2FA-required role, it is not possible to use user credentials with TBA integrations. Use either OAuth 2.0, or the TBA authorization flow.
You should use the TBA authorization flow, or OAuth 2.0 for all new integrations. You should also consider migrating existing integrations currently using the issuetoken endpoint to use the authorization flow. For more information, see The Three-Step TBA Authorization Flow.
Password rotation policies in your account don’t apply to tokens, so you don’t need to manage passwords for your RESTlet and web services integrations. Token-based authentication lets integrations follow any authentication policy set up in your NetSuite account for UI login, like SAML Single Sign-on, OpenID Connect (OIDC), or Two-Factor Authentication. You can use 2FA roles and roles with SAML Single Sign-on permissions with TBA.
Tokens you create with Token-based Authentication in your NetSuite production account aren’t copied to your Release Preview or sandbox accounts. To test this feature in Release Preview or a sandbox, you’ll need to create new tokens in that account. Every time you refresh the sandbox, you’ll need to create new tokens there.
See the following topics for more information about TBA: