Authentication

NetSuite 2026.1 includes the following enhancements to authentication features:

• Login Notification

• Limited Number of Certificates per Integration Record

• Support for Multiple Redirect URIs

• Multiple Sessions per User Requires 2FA

• Manage OAuth 2.0 Client Credentials Certificates Using the Client Credentials Certificate Rotation Endpoint

• PKCE Required for OAuth 2.0 Authorization Code Grant Flow in NetSuite 2027.1

• End of Support for New Integrations Using the Token-based Authentication (TBA) feature in 2027.1

Login Notification

As of NetSuite 2026.1, users with the Administrator role can set up a login notification in their account. This feature can be used, for example, to comply with the NIST standards.

When a login notification is set in the account, the system displays a compliance message to every user during login. Users must acknowledge the message before accessing the account.

Users with the Administrator role can track acknowledgments, including the date and time when users acknowledged the compliance message, using the Login Audit Trail.

Limited Number of Certificates per Integration Record

As of NetSuite 2026.1, you can have a maximum of five active certificates for each integration record. The number of revoked certificates remains unlimited. You can check the list of certificates on the OAuth 2.0 Client Credentials (M2M) Setup page.

Support for Multiple Redirect URIs

NetSuite now supports multiple Redirect URIs for integration records that use the OAuth 2.0 authorization code grant flow.

Multiple Sessions per User Requires 2FA

In NetSuite 2025.2, every NetSuite user was able to maintain three NetSuite sessions simultaneously. As of NetSuite 2026.1, this feature is updated to enhance security of your account:

• Previously, the feature was automatically activated when the account was upgraded to NetSuite 2025.2. As of NetSuite 2026.1, a user with the Administrator role must explicitly allow multiple sessions per user on the Enable Features page.

• As of NetSuite 2026.1, only users with 2FA-required roles can use this feature. If a user has more than one role in the account, all roles must be 2FA-required.

Manage OAuth 2.0 Client Credentials Certificates Using the Client Credentials Certificate Rotation Endpoint

As of NetSuite 2026.1, you can use the certificate rotation endpoint to manage certificates programmatically. This enables you to list, create, or revoke certificates used for the OAuth 2.0 client credentials flow.

PKCE Required for OAuth 2.0 Authorization Code Grant Flow in NetSuite 2027.1

Currently, PKCE is an optional security extension for the OAuth 2.0 authorization code grant flow that uses the confidential client. PKCE is only required with the use of public client.

As of NetSuite 2027.1, all newly created integrations using the OAuth 2.0 authorization code grant flow must include the PKCE parameters in their requests to the authorization and token endpoints. This requirement applies to both public and confidential clients.

End of Support for New Integrations Using the Token-based Authentication (TBA) feature in 2027.1

As of 2027.1, the support ends for new integrations using SOAP web services in NetSuite. For more information, see SOAP Removal Plans FAQ. As part of this gradual removal, as of 2027.1, you will no longer be able to create new integrations using the Token-based Authentication (TBA) feature with SOAP web services, REST web services, and RESTlets.

Existing integrations using TBA will continue to work. However, you should consider switching to the OAuth 2.0 feature as soon as possible. For more information, see OAuth 2.0.

General Notices