RESTlets must use REST URLs to connect to NetSuite. If the RESTlet call comes from an external client, the URL must include a domain specific to your NetSuite account. For information about account-specific domains for RESTlets, see Integration Domains. To handle this task, you can also use the roles service, as described in The REST Roles Service.
For a RESTlet called from an external client, you can use OAuth or the NetSuite-specific method NLAuth in the HTTP Authorization header. OAuth uses token-based authentication (TBA) or OAuth 2.0 to access resources on behalf of a user, eliminating the need to share login credentials such as username and password. You should use TBA or OAuth 2.0 for RESTlet authentication. For more information, see the following topics:
OAuth 2.0 for Integration Application Developers for OAuth 2.0.
NLAuth passes in NetSuite login credentials such as company ID, user name, password, role, and application ID. See Using User Credentials for RESTlet Authentication.
For a RESTlet called from a client hosted by the same NetSuite account that hosts the RESTlet, you do not need to pass authentication information in the HTTP request. A check for all valid NetSuite session cookies occurs, and this existing session is reused.
RESTlet authentication can use either the HTTP Authorization header or all session cookies, but not both. Ensure that your script uses only one form of authentication.