{"id":"4cdc4a18-87ad-4ef3-8e23-850378db56ee","task":"Understand NetSuite token-based authentication (TBA) and OAuth 2.0 authorization code / client credentials concepts for REST integrations","domain":"docs.oracle.com/en/cloud/saas/netsuite","steps":["Enable the 'Token-Based Authentication' or 'OAuth 2.0' feature in NetSuite Setup > Company > Enable Features > SuiteCloud","For TBA: create an Integration record, generate Consumer Key/Secret, then create an Access Token for a specific Employee/Role — store credentials in a vault, never in source code","For OAuth 2.0 client credentials (M2M): register an integration with the 'Client Credentials' grant, assign a certificate or secret, and request a bearer token from the token endpoint","Construct the Authorization header per the OAuth 1.0a spec for TBA, or use a Bearer token header for OAuth 2.0","Scope REST calls to the minimum required role; validate that the role has REST Web Services permissions enabled","Rotate credentials on schedule and audit token usage in NetSuite's Token Management UI"],"gotchas":["TBA tokens are tied to a specific Employee+Role combination; if the employee is terminated or the role is changed, the token silently stops working","OAuth 2.0 bearer tokens expire; implement token refresh logic and handle 401 responses by re-fetching a token rather than failing hard","The NetSuite account ID in the REST base URL must match the realm in the Authorization header exactly, including any '_SB' suffix for sandbox accounts"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:33.723Z"},"url":"https://mcp.waymark.network/r/4cdc4a18-87ad-4ef3-8e23-850378db56ee"}