SoftXone
← All posts Insights 3 min read

Token-Based Auth (TBA) vs OAuth 2.0 in NetSuite: Which Should You Use in 2026?

When to pick TBA, when to pick OAuth 2.0, and the five-question matrix we use with new clients. Plus a sane migration playbook for teams stuck on the old path.

Open NetSuite’s docs on authentication and you’ll find both TBA and OAuth 2.0 documented with equal weight, no clear recommendation. Every team building a new integration in 2026 ends up asking the same question.

The short answer: Use OAuth 2.0 for any new integration. Keep TBA only for something already running on it that would cost more to migrate than leave alone.

What each one actually is

TBA — HMAC-SHA256 request signing

  • Every API call carries a signature built from four secrets + nonce + timestamp
  • No access token, no expiry, no refresh
  • The four secrets just keep working until you rotate them

OAuth 2.0 — client credentials with JWT bearer

  • Sign a JWT with a private key
  • Exchange it for an access token (1 hour expiry)
  • Pass the token on each API call; refresh by minting a new JWT

Why OAuth 2.0 wins for new builds

  • Standard libraries everywhere. TBA’s signing scheme is NetSuite-specific — you maintain it yourself.
  • Smaller blast radius on leaks. Access tokens expire in an hour; TBA secrets work until somebody notices.
  • Better audit trail. Token requests are themselves logged events. TBA shows API calls but not the auth step.
  • NetSuite’s clear investment. New features ship with OAuth 2.0 support first. TBA support trails — sometimes never lands.

Where TBA still earns its keep

  • SuiteScript callouts back into SuiteTalk SOAP — TBA is simpler from inside a script
  • Legacy SOAP operations that only support TBA
  • Per-user audit trails — TBA tokens are per-user; OAuth 2.0 M2M is account-level by design
  • Existing infrastructure — migrating ten working TBA integrations just to migrate isn’t worth it

The 5-question decision matrix

For a new project, run these. “Yes” to any → lean OAuth 2.0. “No” to all → TBA is defensible.

  1. New integration with no existing TBA code to inherit?
  2. Running from a server or container (not inside SuiteScript)?
  3. Need to rotate or revoke credentials regularly?
  4. Using only REST Web Services (not SOAP)?
  5. More than one engineer will maintain this over two years?

For most WooCommerce ↔ NetSuite and Shopify ↔ NetSuite builds we see, every answer is “yes.” OAuth 2.0 is the obvious pick.

Migration playbook

The auth code itself is a day’s work. The cutover is the real engineering. Here’s the safe path:

  1. Stand up the OAuth 2.0 integration record alongside the existing TBA one
  2. Run both paths in parallel from your code, behind a feature flag
  3. Verify reads — OAuth 2.0 path returns identical results for a sample of read calls
  4. Flip writes on a low-traffic window first; watch logs; then flip the rest
  5. Leave TBA in place for two weeks so rollback is one config flip

Teams that get this wrong treat it as a code change. Teams that get it right treat it as a deployment.

The summary to paste in your design doc

  • New integration → OAuth 2.0
  • Existing TBA that works → leave it
  • SOAP-only endpoint → TBA
  • Per-user audit required → TBA
  • Everything else → OAuth 2.0

Want the OAuth 2.0 setup we send to new clients? Our complete M2M auth guide with Postman walks it step by step. And if you’re past the auth decision and weighing build-vs-buy on the integration itself, NetSuite Integration Basic and Pro handle both auth paths out of the box — you don’t have to pick.

Ship it

Need this in your stack?

We build, integrate, and ship — no calls, just delivery.

Start a project →
Keep reading
May 22, 2026

AI vs Human-Written Product Descriptions for NetSuite-Synced Catalogs: 8-Week A/B Results
May 22, 2026

Webhooks vs Polling for NetSuite to Shopify and WooCommerce Inventory Sync in 2026
May 22, 2026

Headless WooCommerce in 2026: When the Store API Is Worth It, and When It Isn’t