Deploy your first customer portal →
SuitePortal/NetSuite ORM

Authentication

Choose between Token-Based Authentication (OAuth 1.0a) and OAuth 2.0 Machine-to-Machine for connecting to NetSuite.

SuitePortal supports two authentication methods for connecting to the NetSuite REST API:

MethodAuth TypeBest For
Token-Based Auth (TBA)tbaQuick setup, existing integrations, broad compatibility
OAuth 2.0 M2Moauth2Certificate-based, no user tokens, recommended for new integrations

Both methods use the same SuitePortal CLI and client API — the only difference is the credentials in your .env file.

Which Should I Use?

OAuth 2.0 M2M is NetSuite's recommended approach for server-to-server integrations going forward. It uses a certificate-based flow where:

  • No user-specific access tokens are needed
  • Identity is tied to a certificate mapping, not a token
  • Credentials don't expire (only the certificate, which you control)

Token-Based Auth (TBA) is the established method and still fully supported. Use it if:

  • Your NetSuite account already has TBA tokens configured
  • You need the simplest possible setup
  • Your organization hasn't adopted OAuth 2.0 M2M yet

Token-Based Authentication (TBA)

TBA uses OAuth 1.0a with HMAC-SHA256 signing. Every request is signed with your consumer and token credentials.

Setup

See the full NetSuite Setup guide for step-by-step instructions.

Environment Variables

.env
NETSUITE_AUTH_TYPE=tba
NETSUITE_ACCOUNT_ID=1234567_SB1
NETSUITE_CONSUMER_KEY=your_consumer_key
NETSUITE_CONSUMER_SECRET=your_consumer_secret
NETSUITE_TOKEN_ID=your_token_id
NETSUITE_TOKEN_SECRET=your_token_secret

Programmatic Usage

query.ts
import { createClient } from './.suiteportal/client';

const ns = await createClient({
  authType: 'tba',
  accountId: '1234567_SB1',
  consumerKey: '...',
  consumerSecret: '...',
  tokenId: '...',
  tokenSecret: '...',
});

OAuth 2.0 Machine-to-Machine (M2M)

OAuth 2.0 M2M uses the Client Credentials grant with a JWT assertion signed by your private key. SuitePortal automatically handles token exchange and refresh.

How It Works

  1. You generate a public/private key pair
  2. Upload the public certificate to NetSuite and map it to an entity + role
  3. SuitePortal signs a JWT with your private key, exchanges it for a Bearer token
  4. The Bearer token is used for API requests (auto-refreshed every 60 minutes)

Setup

See the full NetSuite Setup guide for step-by-step instructions.

Environment Variables

.env
NETSUITE_AUTH_TYPE=oauth2
NETSUITE_ACCOUNT_ID=1234567_SB1
NETSUITE_CLIENT_ID=your_client_id
NETSUITE_CERTIFICATE_ID=your_certificate_id
NETSUITE_PRIVATE_KEY=-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----

The private key can be provided as a single-line string with literal \n characters. SuitePortal automatically converts these to real newlines.

Optional Variables

VariableDefaultDescription
NETSUITE_ALGORITHMES256JWT signing algorithm (ES256, ES384, ES512, PS256, PS384, PS512)
NETSUITE_SCOPESrestlets,rest_webservicesComma-separated OAuth 2.0 scopes

Programmatic Usage

query.ts
import { createClient } from './.suiteportal/client';

const ns = await createClient({
  authType: 'oauth2',
  accountId: '1234567_SB1',
  clientId: '...',
  certificateId: '...',
  privateKey: fs.readFileSync('./private.pem', 'utf8'),
});

Supported Algorithms

AlgorithmKey TypeNotes
ES256EC P-256Default. Recommended for most use cases.
ES384EC P-384Stronger EC curve
ES512EC P-521Strongest EC curve
PS256RSA-PSS 3072+ bitRSA alternative with PSS padding
PS384RSA-PSS 3072+ bit
PS512RSA-PSS 3072+ bit

RS256/RS384/RS512 are not supported. NetSuite deprecated RSA PKCS v1.5 signing in October 2024. Use EC (ES*) or RSA-PSS (PS*) algorithms only.

Token Lifecycle

  • Access tokens are valid for 60 minutes
  • SuitePortal automatically refreshes tokens 5 minutes before expiry
  • No refresh tokens — a new JWT assertion is created for each token request
  • If a request returns 401, the token is cleared and re-fetched on the next request
  • Concurrent requests during a token refresh share the same in-flight refresh (no thundering herd)

Switching Auth Methods

Switching between TBA and OAuth 2.0 only requires changing your .env file. No code changes are needed — the CLI and client detect the auth type automatically from NETSUITE_AUTH_TYPE.

If NETSUITE_AUTH_TYPE is not set, SuitePortal auto-detects: if NETSUITE_CLIENT_ID, NETSUITE_CERTIFICATE_ID, and NETSUITE_PRIVATE_KEY are all present, it uses OAuth 2.0. Otherwise it falls back to TBA.

NetSuite Setup

Step-by-step credential setup for both methods

Configuration

All environment variables and config options

Quickstart

Go from zero to querying NetSuite in 5 minutes.

Introspection

How SuitePortal discovers your NetSuite schema.

On this page

Which Should I Use?Token-Based Authentication (TBA)SetupEnvironment VariablesProgrammatic UsageOAuth 2.0 Machine-to-Machine (M2M)How It WorksSetupEnvironment VariablesOptional VariablesProgrammatic UsageSupported AlgorithmsToken LifecycleSwitching Auth Methods