Setting up Token-based Authentication for a RESTlet integration

NetSuite supports token-based authentication (TBA) a robust, industry standard-based mechanism that increases the overall security of the system. This authentication mechanism enables client applications to use a token to access NetSuite through APIs, eliminating the need for RESTlets to store user credentials. A token is valid for one specific company, user entity, and role only.


All encoding in TBA is percent encoding. Strings must be escaped using RFC 3986. If you do not escape characters in the header, you may receive an INVALID_LOGIN_ATTEMPT error. For more information about percent encoding, go to


Web Services Only roles are only for access to NetSuite through web services. Roles with the Web Services Only restriction will not work with RESTlets.

For more information, see Getting Started with Token-based Authentication.

When you use token-based authentication, password rotation policies in the account do not apply to tokens and password management is unnecessary for your RESTlets integrations. Token-based authentication allows integrations to comply with any authentication policy that is deployed in a NetSuite account for UI login, such as SAML Single Sign-on, or two-factor authentication. To enable token-based authentication, see Enable the Token-based Authentication Feature.

You can create a token and assign it to a user by logging in to NetSuite as an administrator and generating token credentials manually. NetSuite users can also generate token for themselves. See Token-based Authentication (TBA) Permissions.

For code samples and examples of signature creation and token-based authentication, see SuiteAnswer 42171 and SuiteAnswer 42019.

For information about calling a token endpoint to issue or revoke a token, see Issue Token and Revoke Token REST Services for Token-based Authentication in the Token-based Authentication section of the Help Center.

Related Topics

RESTlet Authentication
Authentication for RESTlets
Using User Credentials for RESTlet Authentication

General Notices