Working with Online Forms

Only the APIs listed in the following table are supported on online forms.


These are also the only APIs supported on externally available Suitelets (Suitelets set to Available Without Login on the Script Deployment page). For more information on externally available Suitelets, see SuiteScript and Externally Available Suitelets.

SuiteScript APIs available on online forms and externally available Suitelets

SuiteScript does not support direct access to the NetSuite UI through the Document Object Model (DOM). The NetSuite UI should only be accessed using SuiteScript APIs.

Why are only certain APIs supported on online forms?

For security reasons, many SuiteScript APIs are not supported on online forms or externally available (Available Without Login) Suitelets. Online forms and externally available Suitelets are used for generating stateless pages that access or manipulate account information that is not considered to be confidential. Therefore, scripts running on these pages cannot be used to access information on the server because that would require a valid NetSuite session (through user authentication).

Note that server-side SuiteScript execution for such pages (for example, user events and/or Suitelet page generation or backend code) have no such restrictions.


nlapiGetRole() always returns -31 (the online form user role) when used in this context. nlapiGetUser() returns -4, the return value for an entity if a user cannot be properly identified by NetSuite. This occurs when the user has not authenticated to NetSuite, for example, when using externally available (Available without Login) Suitelets or online forms.

The APIs listed in the previous section all operate on the current page and will run as expected without a valid NetSuite session. Note that both types of pages (online forms and externally available Suitelets) are hosted on a NetSuite domain called <accountID> Having a separate domain for online forms and externally available Suitelets prevents secure NetSuite sessions established on <accountID> from carrying over to these pages.

NetSuite supports TLS 1.2 encryption for <accountID>, <accountID>, and other NetSuite domains. Only requests sent using TLS encryption are granted access.

The following figure uses a Suitelet Script Deployment page to show the two domains types. In this case, the Available Without Login preference is selected. When this Suitelet is called, it will be called from the <accountID> domain. So long as only the APIs listed in the table SuiteScript APIs available on online forms and externally available Suitelets have been used (in addition to any UI Objects), this externally available Suitelet will load and run as intended.

If the Available Without Login preference is not set, the Suitelet will be called from the login domain <accountID>

For more information about NetSuite domains, see Understanding NetSuite URLs.


Although it is not shown on the Script Deployment record, the internal URL is prepended with https://<accountID>

A Suitelet Script Deployment record displaying 2 domain types

General Notices