Learn how to create a NetSuite Integration Record, the essential first step before setting up...
Learn how to configure Token-Based Authentication (TBA) on your NetSuite integration record, create access tokens, and manage the token lifecycle. For the initial integration record setup, see our Integration Record Guide.
⚠️ Warning: As of NetSuite 2027.1, no new TBA integrations can be created for SOAP web services, REST web services, and RESTlets. Existing TBA integrations continue working. Use OAuth 2.0 for all new integrations. See our OAuth 2.0 Guide.
Prerequisites
- Integration Record: You must have already created an integration record. See the Integration Record Guide
- Permission (for record setup): Administrator role or Integration Application permission
- Permission (for token creation): Access Token Management or User Access Token permission
Configuring TBA on the Integration Record
Once you've created your integration record, configure the TBA-specific options on the Authentication subtab.
📍 Navigation: Setup > Integration > Manage Integrations > [Your Record] > Authentication subtab
TBA Authentication Options
| Field | What It Does |
|---|---|
| Token-Based Authentication (TBA) | Must be checked to enable TBA. Checked by default on new records. Allows creation of tokens through the NetSuite UI. |
| TBA: Authorization Flow | Enables the three-step OAuth-like authorization flow for creating tokens programmatically with user consent. Recommended approach. |
| TBA: IssueToken Endpoint | Allows programmatic token creation via the issuetoken REST endpoint. Check only if the Authorization Flow isn't feasible for your application. |
| Callback URL | The redirect URL your application uses during the Authorization Flow. Supports localhost with wildcard ports (http://localhost:*) and wildcard subdomains (https://*.example.com/callback). |
| User Credentials | Legacy authentication method. Clear this checkbox for new integrations — use TBA or OAuth 2.0 instead. |
💡 Tip: You can check both TBA and OAuth 2.0 on the same integration record. This is useful when migrating from TBA to OAuth 2.0 — both methods work simultaneously during the transition period.
Saving & Capturing Your Credentials
After saving the integration record, the confirmation page displays your Consumer Key and Consumer Secret. These are two of the four credentials you'll need for TBA authentication.
⚠️ Warning: The Consumer Key and Consumer Secret are shown ONLY ONCE. Copy them immediately to a secure location (password manager, Azure Key Vault, etc.). If you lose them, you'll have to reset the credentials, which invalidates the previous values.
Creating TBA Access Tokens
With the integration record saved, you now need to generate access tokens. Tokens pair a specific user and role with your integration. NetSuite provides two methods depending on your permissions.
The Four TBA Credentials
| Credential | Source | When Generated |
|---|---|---|
| Consumer Key | Integration Record | When you save the integration record |
| Consumer Secret | Integration Record | When you save the integration record |
| Token ID | Access Token page | When you create a new access token |
| Token Secret | Access Token page | When you create a new access token |
Method A: Access Token Management (For Admins)
Users with the Access Token Management permission can create and assign tokens for other users (except Administrator roles). Administrators can create tokens for themselves but not for other Administrators.
📍 Navigation: Setup > Users/Roles > Access Tokens > New Access Token
Step 1: Navigate to Access Tokens
- Log in with a role that has the Access Token Management permission
- Go to
Setup > Users/Roles > Access Tokens - Click New Access Token
Step 2: Configure the Token
- Select the Application Name — this is the integration record you created
- Select the User who will use this token for API access
- Select the Role the token will authenticate as (this determines permissions)
- Optionally customize the Token Name (defaults to Application + User + Role)
Step 3: Save and Capture Token Credentials
- Click Save
- Copy the Token ID and Token Secret immediately
- Store them securely alongside your Consumer Key/Secret
⚠️ Warning: The Token ID and Token Secret are displayed ONLY ONCE. If you navigate away without saving them, you'll need to create a new token. Never share these credentials via email or with unauthorized individuals.
Method B: User Access Token (Self-Service)
Users with the User Access Token permission can create tokens for their own current user and role. This is ideal for individual users who need API access without involving an administrator.
- Log in using a role with the User Access Token permission
- In the Settings portlet on your Home dashboard, click Manage Access Tokens
- Click New My Access Token
- Select the Application Name and customize the Token Name if desired
- Click Save and copy the Token ID and Token Secret immediately
Managing the Token Lifecycle
Viewing & Searching Tokens
📍 Navigation: Setup > Users/Roles > User Management > Access Tokens
The Access Tokens list view shows all tokens in your account. From here you can:
- View — Open a token's details page
- Edit — Modify token details or revoke the token
- Filter — Use the Filters panel to show All, Revoked (Yes), or Active (No) tokens
- Search — Click Search at the top right to open the Access Token Search page
Revoking Tokens
TBA tokens never expire, so periodic revocation and recreation is a security best practice.
- Go to
Setup > Users/Roles > Access Tokens - Click Edit next to the token you want to revoke
- Click Revoke
💡 Tip: Revoked vs. Inactive: Revoking a token is PERMANENT — the token can never be reactivated. Checking the Inactive box is temporary and reversible. Use Inactive for maintenance windows; use Revoke when you're done with a token.
Important Token Rules
- Deleting an integration application revokes all associated tokens automatically.
- Removing roles from an entity (employee, vendor, etc.) leaves tokens active, but they can't be used for login until roles are reassigned.
- Deleting an entity deletes all their associated tokens.
- Sandbox/Release Preview: Tokens are NOT copied from production. Create new tokens in each environment, and recreate them every time you refresh a sandbox.
📝 Note: Revoked tokens remain in the system for auditing purposes. They show an Inactive status in list views and cannot be edited or reactivated.
Related Posts
🔗 How to Create a NetSuite Integration Record
The essential first step before configuring any authentication method.
🔗 OAuth 2.0: Complete Setup Guide for NetSuite Integrations
Detailed walkthrough of OAuth 2.0 configuration including grant types, scopes, and consent policies.
Skip the setup headaches — connect NetSuite to your spreadsheets with NetXcel
NetXcel uses your TBA or OAuth 2.0 credentials to pull live data directly into Excel and Google Sheets.
