The NLAuth Authorization Header in TBA

See The Three-Step TBA Authorization Flow, which should be used for all new integrations that use TBA. Developers of existing integrations currently using the NLAuth authorization header should consider migrating the integration to the TBA authorization flow.

To construct an NLAuth authorization header, use the fields described in the following table.


Strings must be escaped using RFC 3986. If you do not escape characters in the header, you may receive an INVALID_LOGIN_ATTEMPT error. For more information about percent encoding, see




The account ID of the NetSuite account.


The email address with which the user logs in to NetSuite.


The user’s password.


The internal ID of a role with which the user is associated.


The application ID of the integration associated with the RESTlet.



This parameter can only be used with the issuetoken endpoint.

The value of the one-time password (OTP) is the same as the value of a two–factor authentication (2FA) verification code generated by an authenticator app when a user is logging in to the NetSuite UI.

For more information, see Troubleshoot Token-based Authentication (TBA).

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Troubleshoot Token-based Authentication (TBA)

General Notices