Generate an RSA key pair; upload the public key certificate to the NetSuite integration record under OAuth 2.0 client credentials and note the generated client ID
At runtime, build a JWT assertion signed with your private key (alg RS256), with iss=client_id, sub=client_id, aud=<account_id>.suitetalk.api.netsuite.com, and a short expiry
POST the JWT to the token endpoint https://<account_id>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token with grant_type=client_credentials to receive a short-lived access token (valid 60 minutes)
Replace TBA Authorization headers (OAuth realm, oauth_consumer_key, oauth_token, oauth_signature) with a simple Bearer token header
Implement token caching and refresh: reuse the access token until near expiry, then request a new one; avoid fetching a new token on every API call
Known gotchas
TBA uses OAuth 1.0 request signing (per-call HMAC); OAuth 2.0 M2M uses a JWT bearer grant — the two mechanisms are completely different and cannot be mixed in a single call
The access token endpoint URL includes the account ID in the hostname; using a generic or wrong account ID subdomain returns a 404, not an auth error
NetSuite requires TBA deprecation for new integrations by 2027.1; existing integrations continue to work past that date but cannot be refreshed or re-created using TBA after that release
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp