Setting up Token-based Authentication for a RESTlet integration

NetSuite supports token-based authentication (TBA) a robust, industry standard-based mechanism that increases the overall security of the system. TBA enables client applications to use a token to access NetSuite through APIs, without RESTlet integration storing user credentials. A token is valid for one specific company, user entity, and role only.


All encoding in TBA is percent encoding. Strings must be escaped using RFC 5849. If you do not escape characters in the header, you may receive an INVALID_LOGIN_ATTEMPT error. For more information about percent encoding, go to


Web Services Only roles are only for access to NetSuite through web services. Roles with the Web Services Only restriction will not work with RESTlets.

For more information, see Getting Started with Token-based Authentication.

When you use TBA, password rotation policies in the account do not apply to tokens and password management is unnecessary for your RESTlets integrations. TBA allows integrations to comply with any authentication policy that is deployed in a NetSuite account for UI login, such as SAML Single Sign-on, or two-factor authentication. To enable TBA, see Enable the Token-based Authentication Feature.

You can create a token and assign it to a user by logging in to NetSuite as an administrator and generating token credentials manually. NetSuite users can also generate token for themselves. See Token-based Authentication (TBA) Permissions.

For code samples and examples of signature creation, see OAuth Library Consumption for Client Application and Create oauth_signature for Token-based Authentication in RESTlet.

For information about calling a token endpoint to issue or revoke a token, see Issue Token and Revoke Token REST Services for Token-based Authentication in the Token-based Authentication section of the Help Center.

Related Topics

RESTlet Authentication
Authentication for RESTlets
Using User Credentials for RESTlet Authentication

General Notices