The Three-Step TBA Authorization Flow

As of 2019.2, you have the option to use a redirection-based authorization flow with token-based authentication. User credentials are not stored or entered into the application forms. Users enter user credentials into one of the following login forms as a part of the flow:

The redirection-based authorization flow consists of three steps. Click the following links for more detailed information about each step.

With the TBA authorization flow, you begin the process to grant access tokens in your application. The request token URL generates an intermediate (unauthorized) request token. A user, for whom an access token is to be granted, authorizes the request token and explicitly consents that the application can access NetSuite data. If this step succeeds, the application exchanges the request token for an access token to be used when calling a RESTlet or a web service.

The administrator must create integration records for each application. See Create Integration Records for Applications to Use TBA. The administrator must configure the callback URL on the integration record. The underlying application must have the ability to open a browser, and must be able to handle callback URLs.


If the application does not have the ability to open a browser and handle callback URLs, continue using the issuetoken endpoint. If this is the case for your application, see The IssueToken Endpoint and Issue Token and Revoke Token REST Services for Token-based Authentication. A tokeninfo endpoint is also available to provide information about a user based on the access token. See Calling a token endpoint to obtain user information based on a token.

Related Topics

Token-based Authentication (TBA) for Integration Application Developers
The IssueToken Endpoint

General Notices