Token-based Authentication (TBA)

NetSuite supports token-based authentication (TBA) a robust, industry standard-based mechanism that increases overall system security. TBA enables client applications to use a token to access NetSuite through APIs, without RESTlets or web services integrations storing user credentials.

You can use only TBA and OAuth 2.0 for RESTlets and web services integrations.


OAuth 2.0 cannot be used with SOAP web services. For more information, see OAuth 2.0.

Two-factor authentication (2FA) is not compatible with integrations. When using any 2FA-required role, it is not possible to use user credentials with TBA integrations. Use either OAuth 2.0, or the TBA authorization flow.

You should use the TBA authorization flow, or OAuth 2.0 for all new integrations. You should also consider migrating existing integrations currently using the issutoken endpoint to use the authorization flow. For more information, see The Three-Step TBA Authorization Flow.

Password rotation policies in the account do not apply to tokens, making password management unnecessary for your RESTlet and web services integrations. Token-based authentication allows integrations to comply with any authentication policy that is deployed in a NetSuite account for UI login, such as SAML Single Sign-on, OpenID Connect (OIDC), and Two-Factor Authentication. You can use Two-Factor Authentication (2FA) roles and roles with SAML Single Sign-on permissions with TBA.


Tokens created using the Token-based Authentication feature in your NetSuite production account are not copied to your Release Preview or to your sandbox accounts. To test this feature in Release Preview or in a sandbox, you must create new tokens in that account. Each time the sandbox is refreshed, you must create new tokens in the sandbox.

See the following topics for more information about TBA:

Related Topics

General Notices