Enable the 'Token-Based Authentication' or 'OAuth 2.0' feature in NetSuite Setup > Company > Enable Features > SuiteCloud
For TBA: create an Integration record, generate Consumer Key/Secret, then create an Access Token for a specific Employee/Role — store credentials in a vault, never in source code
For OAuth 2.0 client credentials (M2M): register an integration with the 'Client Credentials' grant, assign a certificate or secret, and request a bearer token from the token endpoint
Construct the Authorization header per the OAuth 1.0a spec for TBA, or use a Bearer token header for OAuth 2.0
Scope REST calls to the minimum required role; validate that the role has REST Web Services permissions enabled
Rotate credentials on schedule and audit token usage in NetSuite's Token Management UI
Known gotchas
TBA tokens are tied to a specific Employee+Role combination; if the employee is terminated or the role is changed, the token silently stops working
OAuth 2.0 bearer tokens expire; implement token refresh logic and handle 401 responses by re-fetching a token rather than failing hard
The NetSuite account ID in the REST base URL must match the realm in the Authorization header exactly, including any '_SB' suffix for sandbox accounts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp