Published April 28, 2026

NetSuite API Integration: What to Know Before You Build

April 28, 2026

NetSuite is an enterprise ERP, not a developer-first SaaS API. It surfaces data through four different API endpoints (SuiteTalk SOAP, SuiteTalk REST, RESTlets, and SuiteQL), supports two authentication models (Token-Based Authentication and OAuth 2.0) with TBA being phased out in favor of OAuth 2.0, and runs on a deeply customizable record-and-sublist data model where every customer's schema diverges from the baseline. For B2B SaaS products integrating with NetSuite, the API itself is rarely the hard part — the hard parts are choosing the right surface, navigating tenant-specific schemas, and managing per-account configuration.

This guide covers the four NetSuite API surfaces, the authentication options, the data model, and the operational reality of building and maintaining a NetSuite integration.

Key takeaways

NetSuite provides four integration surfaces: SuiteTalk SOAP (legacy), SuiteTalk REST (modern, JSON-based, the default for new integrations), RESTlets (custom SuiteScript endpoints), and SuiteQL (SQL-like read layer). Most production integrations use a combination — REST for writes, SuiteQL for reads, RESTlets for custom flows.
Authentication is moving from Token-Based Authentication (TBA, OAuth 1.0-style) to OAuth 2.0. As of NetSuite's 2027.1 release (the first major release of 2027, typically deployed early in the year), no new TBA-based integrations can be created for SOAP, REST, or RESTlets. Existing TBA integrations continue to work past 2027.1 — the cutoff applies to new integrations only.
TBA access tokens do not expire. They remain valid until manually revoked, the underlying user/role changes, or NetSuite invalidates them. OAuth 2.0 uses standard short-lived access tokens with refresh tokens.
The data model is record-and-sublist with a heavy customization layer: every NetSuite tenant has custom records, custom fields, and custom forms that diverge from the vanilla schema. Integrations should not assume a global schema.
OneWorld accounts add subsidiary access controls. Every API call runs under a user/role whose subsidiary restrictions determine which records are visible and writable. Integrations needing global visibility require roles with All Subsidiaries access.
Account-level concurrency limits apply across all four API surfaces combined (typically 15–55 concurrent requests depending on tier and SuiteCloud Plus licenses). Per-integration concurrency limits can be configured by admins to prevent one integration from starving others.
Sandbox accounts are separate from production with their own concurrency pools, refreshed on-demand from production snapshots. As of NetSuite 2026.1, sandbox refreshes are unlimited.

What is the NetSuite API?

NetSuite API integration is the process of connecting external applications to NetSuite's ERP, financial, CRM, and inventory data through one of four API surfaces. Unlike modern developer-first SaaS APIs, NetSuite integrations require choosing between protocols, navigating per-tenant schema customization, and managing role-based permission models that affect what every API call can see.

There is no single NetSuite API. Engineers building a NetSuite integration end up choosing among four surfaces depending on the operation — and most production integrations use more than one.

What APIs does NetSuite actually provide?

SuiteTalk SOAP

XML/SOAP-based, contract-defined via WSDL
Historically the primary integration surface; broadest record coverage
Verbose payloads, higher latency, and WSDL regeneration required when custom fields change
Authenticated via TBA only
Now positioned as legacy; full deprecation expected around 2028

SuiteTalk REST

JSON-based, standard HTTP verbs (GET, POST, PUT, PATCH, DELETE)
The default for new integrations as of 2026
Custom fields are first-class — they appear dynamically in REST schemas without WSDL regeneration
Supports both TBA and OAuth 2.0; OAuth 2.0 recommended for new integrations
The 2026.1 release explicitly expanded REST coverage toward parity with SOAP, signaling the migration path away from SOAP

RESTlets

Custom REST endpoints written in SuiteScript (NetSuite's JavaScript-based scripting layer)
Used for orchestration, multi-step business logic, aggregated operations, or features not available through standard REST
Can encapsulate an entire business flow in a single call, reducing round-trips
Authenticated via TBA, OAuth 2.0, or user credentials (excluding 2FA-protected roles)

SuiteQL

SQL-like query language over NetSuite's analytics layer
Supports joins, filters, projections across records and transactions
Available via SuiteTalk REST (/services/rest/query/v1/suiteql), SuiteAnalytics Connect (JDBC/ODBC), or wrapped inside RESTlets
Now widely positioned as the default read layer for modern integrations, with REST handling writes

Most production integrations use a combination: SuiteQL for reads (especially bulk extraction and reporting), SuiteTalk REST for record-level writes, and RESTlets for custom flows that don't fit cleanly into either.

How does NetSuite authentication work?

NetSuite supports two OAuth-based authentication models. The choice affects API compatibility, security posture, and long-term integration viability.

Token-Based Authentication (TBA)

TBA is NetSuite's older OAuth 1.0a-style authentication. Each request is HMAC-signed using a combination of credentials:

Realm / Account ID
Consumer Key + Consumer Secret (from the Integration Record)
Token ID + Token Secret (from the Access Token, scoped to a User + Role + Integration combination)

TBA works across SOAP, REST, and RESTlets. It cannot be used with roles that require 2FA — those must use OAuth 2.0.

TBA access tokens do not expire. They remain valid until an admin revokes them, the underlying user or role is deactivated, or permission changes invalidate them. There is no configuration in NetSuite to set an automatic expiration for TBA tokens. Best practice is periodic rotation (e.g., quarterly) as a security control, but this is operational convention rather than enforced lifetime.

As of NetSuite's 2027.1 release (NetSuite uses a <year>.1 and <year>.2 two-release annual cadence; 2027.1 is the first major release of 2027, typically deployed in the first part of the year), no new TBA-based integrations can be created for SOAP Web Services, REST Web Services, or RESTlets. Existing TBA integrations continue to work past 2027.1 — Oracle's documented language is "existing integrations will continue working." The cutoff applies to creating new integrations, not to the operation of existing ones.

For existing TBA setup details, see our guide on NetSuite Token-Based Authentication setup.

OAuth 2.0

NetSuite's OAuth 2.0 implementation supports authorization code flow, client credentials, and JWT-based grant types depending on the use case. Available for SuiteTalk REST, RESTlets, and SuiteAnalytics Connect (not SOAP).

Compared to TBA, OAuth 2.0:

Eliminates per-request HMAC signing
Supports 2FA-protected roles
Uses standard access token + refresh token lifecycle
Aligns with modern OAuth tooling and libraries

For a deeper treatment of OAuth 2.0 concepts, see our guide on understanding OAuth2 authorization flows. For the operational reality of managing OAuth across many integrations, see how to handle OAuth across many integrations.

Critical detail: roles control everything

Both TBA and OAuth 2.0 inherit permissions from the role the token was created under. The role's:

Permissions determine which records the integration can read and write
Subsidiary restrictions (in OneWorld accounts) determine which subsidiaries' data is accessible
2FA settings determine which auth model is even available

This is the most common source of 401 INVALID_LOGIN errors in production: the token was created against the wrong role, and the role's permissions silently restrict everything the integration tries to do.

What does a NetSuite REST API call actually look like?

NetSuite REST endpoints use account-specific hostnames that should be discovered dynamically rather than hard-coded.

Discovering the right hostname

NetSuite provides a DataCenterUrls service that returns the authoritative hostnames for a given account:

GET https://rest.netsuite.com/rest/datacenterurls?account=<ACCOUNT_ID>

The response includes:

webservicesDomain — base for SuiteTalk SOAP and REST
restDomain — base for RESTlets
systemDomain — base for the NetSuite UI

Hostnames vary by data center (US, EU, etc.), and sandbox accounts have different hosts than production. Hard-coding hostnames breaks integrations during data center migrations or sandbox provisioning.

REST URL pattern

Once you have the webservicesDomain, SuiteTalk REST endpoints follow this pattern (documented in Oracle's NetSuite REST API guide):

https://<accountID>.suitetalk.api.netsuite.com/services/rest/record/v1/{recordType}

Concrete examples:

GET https://123456.suitetalk.api.netsuite.com/services/rest/record/v1/customer
Authorization: Bearer <access_token>

For a sandbox account (note the uppercase _SB1 suffix in the Account ID and hostname):

GET https://123456_SB1.suitetalk.api.netsuite.com/services/rest/record/v1/customer/12345
Authorization: Bearer <access_token>

SuiteQL queries are sent to a separate endpoint:

POST https://<accountID>.suitetalk.api.netsuite.com/services/rest/query/v1/suiteql
Authorization: Bearer <access_token>
Content-Type: application/json

The query body contains the SuiteQL statement. Pagination is handled via standard REST patterns (limit, offset).

How does the NetSuite data model work?

NetSuite's data model is record-and-sublist with a heavy customization layer that varies per tenant.

Records

Everything is a record type: customers, vendors, items, sales orders, invoices, journal entries, employees, and many more. Each record has standard fields (defined by NetSuite) and can be extended with custom fields specific to the customer's account.

Sublists

Sublists represent line-level or child collections nested within a parent record:

Transaction line items (invoice lines, sales order lines)
Apply lists (which invoices a payment applies to)
Activities, contacts, related records

In API payloads, sublists appear as nested arrays within the parent record. Mutating a transaction means mutating the parent record plus its line sublist atomically.

The customization layer

Every NetSuite tenant adds custom records, custom fields, and custom forms through the configuration UI. These are first-class in the platform — they appear in REST schemas, SuiteQL queries, and SuiteAnalytics Connect outputs. They are not discoverable in advance.

In practice, this means every NetSuite customer's API behaves slightly differently. Integrations need to either:

Discover the schema dynamically (via metadata APIs, saved searches, or SDF manifests)
Configure per-customer mappings during onboarding
Use a normalization layer that handles tenant-specific schema variation

This is fundamentally different from per-tenant differences in modern SaaS APIs (which are typically about feature flags or plan tiers). NetSuite tenants can have custom record types that don't exist in other tenants at all.

How do OneWorld and subsidiaries affect the API?

NetSuite has two account configurations: standard (single legal entity) and OneWorld (multiple subsidiaries under one account).

In standard accounts, there is no subsidiary dimension. Every API call operates against a single legal entity.

In OneWorld accounts, every record belongs to a subsidiary, and every API call runs under a role whose subsidiary restrictions determine what's visible:

All Subsidiaries — role can read/write across the entire subsidiary tree
Active Subsidiaries — role accesses all currently active subsidiaries
User Subsidiary — role restricted to the user's primary subsidiary (and its children)

The API has no special "OneWorld endpoints" — these rules apply equally to REST, SOAP, RESTlets, and SuiteQL. An integration with a User-Subsidiary-restricted role will silently miss records in other subsidiaries, even if the API call doesn't mention subsidiaries explicitly.

For B2B SaaS integrations needing cross-subsidiary visibility, the role assigned to the integration must have All Subsidiaries access. This is a per-customer setup decision, not something the integration code can override.

OneWorld also adds first-class REST resources for subsidiary relationships: customerSubsidiaryRelationship and vendorSubsidiaryRelationship model the link between an entity and a particular subsidiary. These records are still subject to the same role-level subsidiary restrictions — an integration with a User-Subsidiary-restricted role can only see relationships involving that subsidiary.

What are NetSuite's API rate limits?

NetSuite enforces rate limits at multiple levels.

Account-level concurrency

A shared concurrency cap applies across all four API surfaces (SOAP, REST, RESTlets) combined. Default account concurrency is around 15 concurrent requests. SuiteCloud Plus licenses add roughly 10 more per license, with high tiers reaching around 55 concurrent slots.

Sandbox, production, and developer accounts each have their own separate concurrency pools.

Per-integration concurrency

Admins can configure per-integration concurrency limits on the Integration Record. These allocate a slice of the account's total concurrency to a specific integration:

Account total = sum(per-integration limits) + unallocated pool

If an integration hits its assigned limit, additional parallel requests from that integration are rejected even when the rest of the account has spare capacity. This is for fairness and isolation — preventing one heavy integration from starving others.

Frequency limits

NetSuite also enforces rate limits over short windows (around 60 seconds) and long windows (24 hours). Exceeding them returns HTTP 429 for REST and 403-style errors for SOAP. The exact numeric thresholds for per-minute and per-day call volumes are not publicly published; they're visible to admins in the NetSuite UI under Integration Management > API Limits.

What this means for integration design

Treat throttling as a normal failure mode
Implement retry with exponential backoff on HTTP 429
For high-volume reads, prefer SuiteQL (single query returning thousands of rows) over many record-level REST calls
Design write operations to batch where possible
Confirm effective limits with the customer's NetSuite admin during onboarding

How does sandbox vs. production work?

Sandboxes are separate NetSuite accounts that copy production configuration and data on-demand:

Refreshes are admin-initiated, not on a fixed cadence
A typical refresh completes within 12–24 hours, longer for very large accounts
As of NetSuite 2026.1, sandbox refreshes are unlimited (previously quota-limited)
Each refresh overwrites the sandbox with a recent production snapshot
Domain mappings, integration credentials, and some configuration may need to be reapplied after refresh

This affects integration testing in two ways. First, sandbox account IDs include suffixes (e.g., 123456_SB1) that change the API hostname — code that hard-codes the production hostname will fail in sandbox. Second, after a sandbox refresh, integration credentials may need to be re-issued because they don't always carry over from the previous sandbox state.

Why are NetSuite integrations operationally complex?

Several factors compound:

Four API surfaces. Choosing between SOAP, REST, RESTlets, and SuiteQL requires understanding which is appropriate for each operation.
Authentication migration in progress. TBA still works but is being phased out; OAuth 2.0 is the new direction. New integrations need to make the right choice and existing ones need a migration plan.
Per-tenant schema customization. Custom records and fields differ across customers, so integrations need per-account discovery or configuration.
OneWorld subsidiary access. Cross-subsidiary visibility requires role-level configuration that the integration can't enforce on its own.
Concurrency and rate limits with admin-configurable per-integration slices. Tuning requires coordination with the customer's NetSuite admin.
Sandbox vs. production hostname differences. Hard-coded hostnames break in sandbox; dynamic discovery via DataCenterUrls is required.
Cross-team setup. New NetSuite integrations require coordination across the customer's controller/CFO, IT/security, and NetSuite admin. Setup is rarely "just wire it up."

How long does a NetSuite integration take?

Rough benchmarks for a B2B SaaS team building directly:

Read-only sync (customers, vendors, basic transactions): 3–6 weeks
Bi-directional integration with writes (creating invoices, applying payments, journal entries): 8–16+ weeks
Production maintenance: ongoing — handling per-customer schema variation, monitoring rate limits, adapting to NetSuite release changes, and coordinating sandbox refresh cycles with customers

These are time-to-first-customer estimates. Adding additional customers adds work because of tenant-specific schema and subsidiary configuration, even with the integration "built."

For broader context on how integration architecture choices affect long-term engineering overhead, see our breakdown of ETL vs. iPaaS vs. Unified API.

How does Unified simplify NetSuite integration?

Unified.to provides a category-level Accounting API that standardizes financial objects across NetSuite, QuickBooks, Xero, Sage, and other accounting integrations.

Setup

Unified connects to NetSuite using Token-Based Authentication today, with OAuth 2.0 support tracking NetSuite's recommended migration path. The customer provides:

Realm / Account ID
Consumer Key + Consumer Secret (from a NetSuite Integration Record)
Token ID + Token Secret (from an Access Token scoped to a role with appropriate permissions)

Authorization produces a connection_id that the application uses for every subsequent call. For full setup details, see the NetSuite Token-Based Authentication setup guide.

Calling the API

Example calls:

GET https://api.unified.to/accounting/invoice/{connection_id}?limit=50
Authorization: Bearer YOUR_API_KEY

GET https://api.unified.to/accounting/transaction/{connection_id}?limit=50
Authorization: Bearer YOUR_API_KEY

GET https://api.unified.to/accounting/contact/{connection_id}?limit=50
Authorization: Bearer YOUR_API_KEY

The same endpoints work for QuickBooks, Xero, Sage, and other accounting integrations — only the connection_id changes.

What Unified handles

Hostname discovery (no hard-coded URLs that break in sandbox or after data center migrations)
Surface routing — Unified picks the right NetSuite API surface (REST, SuiteQL, RESTlet) for each operation
TBA token lifecycle and credential management
Tenant-specific schema mapping including custom fields via metadata APIs
Sublist handling on transactional records
Rate limit handling with retry and backoff
Sandbox vs. production environment routing
Change detection through scheduled polling, surfaced as virtual webhooks

For NetSuite-specific custom records or fields not in the normalized Accounting schema, raw passthrough provides direct access to integration-specific endpoints while keeping the unified authentication and connection management.

Direct vs. Unified — when to choose each

Consideration	Direct NetSuite integration	Unified Accounting API
Setup time	3–16+ weeks per customer	Minutes per customer
Multi-surface routing (SOAP/REST/RESTlets/SuiteQL)	You implement and maintain	Handled
TBA / OAuth 2.0 lifecycle	You implement	Handled
Per-tenant schema variation	You implement discovery	Handled via metadata APIs + custom fields
Subsidiary access in OneWorld	You configure per customer	You configure per customer (still required)
Sublist mutation on transactions	You implement	Handled
Hostname discovery / sandbox routing	You implement	Handled
Multi-platform accounting support	Separate implementation per integration	Same code, different `connection_id`
Pricing	Free (engineering cost only)	Usage-based per API call

Build directly if

NetSuite is your only accounting integration
You need deep operational control across SuiteScript and custom RESTlets
You have engineering capacity to maintain per-tenant schema discovery
Your customers tolerate longer integration cycles per tenant

Use Unified if

You support (or plan to support) multiple accounting integrations
You want time-to-first-customer measured in days, not months
You'd rather not build hostname discovery, surface routing, or schema mapping per tenant
You want consistent webhook semantics across NetSuite, QuickBooks, Xero, and others

For the broader context on accounting API integration patterns, see our guide on accounting API integration: invoices, bills, transactions, and financial reporting.

Frequently asked questions

Does NetSuite have a REST API?

Yes. SuiteTalk REST is NetSuite's modern JSON-based REST API and is the default for new integrations. It supports both Token-Based Authentication and OAuth 2.0. Coverage has expanded substantially in recent releases as NetSuite migrates customers off SuiteTalk SOAP.

Should I use SuiteTalk SOAP or REST?

For new integrations, REST. NetSuite has positioned SOAP as legacy with full deprecation planned by around 2028. The 2026.1 release explicitly expanded REST coverage toward parity with SOAP. Use SOAP only for existing integrations during a planned migration to REST.

What is SuiteQL?

SuiteQL is NetSuite's SQL-like query language for reading data across records and transactions. It supports joins, filters, and projections, and is available via SuiteTalk REST (/services/rest/query/v1/suiteql), SuiteAnalytics Connect (JDBC/ODBC), or wrapped inside RESTlets. SuiteQL is now widely positioned as the default read layer for modern NetSuite integrations.

What's the difference between TBA and OAuth 2.0 in NetSuite?

TBA (Token-Based Authentication) is NetSuite's older OAuth 1.0a-style auth using HMAC-signed requests with consumer key/secret and token key/secret. TBA access tokens do not expire and remain valid until an admin revokes them. OAuth 2.0 is the modern replacement using standard bearer tokens with shorter-lived access tokens and refresh tokens. As of NetSuite's 2027.1 release, no new TBA-based integrations can be created — OAuth 2.0 is the only path for new builds. Existing TBA integrations continue to work past 2027.1.

Why am I getting 401 INVALID_LOGIN errors?

Most often: the access token was created under a role that doesn't have the necessary permissions, or the user account itself isn't permitted to use access tokens (missing User Access Tokens and Access Token Management permissions). Other common causes: wrong Account ID (especially confusing sandbox vs. production), Integration Record disabled, or wrong consumer key/secret paired with the token. Check the Login Audit Trail under Setup > Users/Roles > User Management for token-based login details.

How do I find my NetSuite Account ID?

The fastest way is from the URL when logged into NetSuite: https://1234567.app.netsuite.com/... → Account ID is 1234567. Or go to Setup > Company > Company Information. Sandbox accounts have suffixes like _SB1 that are part of the canonical Account ID and affect API hostnames.

Do all NetSuite tenants have the same schema?

No. NetSuite tenants vary substantially through custom records, custom fields, custom forms, and subsidiary configurations. Standard records (Customer, Invoice, Vendor) are present everywhere, but their exact field set differs per customer. Integrations should not assume a global schema.

How does Unified help with NetSuite integration?

Unified handles NetSuite hostname discovery, surface routing across REST/SuiteQL/RESTlets, TBA credential management, tenant-specific schema mapping including custom fields, sandbox/production environment routing, rate limit handling, and change detection through virtual webhooks — through a normalized accounting API that also covers QuickBooks, Xero, Sage, and other accounting integrations.

Final thoughts

NetSuite API integration is structurally heavier than modern SaaS API integration. Four API surfaces, two authentication models with one being phased out, per-tenant schema customization, OneWorld subsidiary access controls, account-wide concurrency limits with per-integration slicing, and dynamic hostname discovery all add to the implementation and maintenance cost.

For B2B SaaS products that need to support NetSuite alongside other accounting integrations (QuickBooks, Xero, Sage, etc.), building each one separately means repeating the per-vendor lifecycle work. A unified accounting API removes most of that work while preserving the customer-side setup that NetSuite's role and subsidiary model fundamentally requires.

Unified.to's Accounting API supports NetSuite alongside QuickBooks, Xero, Sage, FreshBooks, Microsoft Dynamics 365 Business Central, and others through a single normalized schema.

Start a free trial or book a demo to see it work.

All articles