Authentication for RESTlets

RESTlets must use REST URLs to connect to NetSuite. If the RESTlet call comes from an external client, the URL must include a domain specific to your NetSuite account. To handle this task, you can also use the roles service, as described in The REST Roles Service.

• For a RESTlet called from an external client, you can use OAuth or the NetSuite-specific method NLAuth in the HTTP Authorization header. OAuth uses token-based authentication (TBA) or OAuth 2.0 to access resources on behalf of a user, eliminating the need to share login credentials. You should use OAuth 2.0 for RESTlet authentication. For more information, see the following topics:

  • OAuth 2.0 for Integration Application Developers for OAuth 2.0.

  • The Three-Step TBA Authorization Flow for TBA.

  NLAuth passes in NetSuite login credentials such as company ID, user name, password, role, and application ID. See Using User Credentials for RESTlet Authentication. User credentials authentication is no longer supported for newly created RESTlets.

• For a RESTlet called from a client hosted by the same NetSuite account that hosts the RESTlet, you do not need to pass authentication information in the HTTP request. This does not apply to Suitelets. A check for all valid NetSuite session cookies occurs, and this existing session is reused.

Important:

RESTlet authentication can use either the HTTP Authorization header or all session cookies, but not both. Ensure that your script uses only one form of authentication.

Related Topics

• Authentication
• RESTlet Authentication
• Setting up Token-based Authentication for a RESTlet integration
• Setting up OAuth 2.0 for a RESTlet Integration
• Using User Credentials for RESTlet Authentication

General Notices