Security is a critical part of any enterprise integration. Whether youโre validating webhooks, generating API signatures, encrypting sensitive data, or hashing passwords, NetSuite provides the N/crypto module to handle these operations securely inside SuiteScript.
The N/crypto module is commonly used alongside:
N/https(secure API calls)N/encode(data encoding/decoding)- Webhook verification logic
- Payment and banking integrations
- Secure token generation
In this guide, youโll learn:
- What the N/crypto module does
- Supported hashing and encryption algorithms
- How to generate hashes and HMAC signatures
- When to use encryption vs hashing
- Real-world integration examples
- Best practices for secure SuiteScript development
1. What Is the N/crypto Module?
The N/crypto module provides cryptographic functionality for SuiteScript, allowing you to:
- Generate hashes (SHA-256, SHA-512, etc.)
- Create HMAC signatures
- Encrypt and decrypt data
- Securely validate incoming requests
- Protect sensitive values
It is server-side only and available in SuiteScript 2.x / 2.1.
2. Common Use Cases for N/crypto
Youโll typically use N/crypto when working with:
- ๐ API request signing
- ๐ Webhook signature verification
- ๐ Password or token hashing
- ๐ Secure payload validation
- ๐ Banking or payment gateways
- ๐ OAuth 1.0 integrations
- ๐ Compliance-driven integrations
If security matters (and it always does), this module matters.
3. Core Components of the N/crypto Module
The module mainly exposes:
- crypto.createHash()
- crypto.createHmac()
- crypto.createCipher()
- crypto.createDecipher()
- crypto.HashAlg enum
- crypto.EncryptionAlg enum
4. Hashing Data (SHA Algorithms)
Hashing is one-way โ you cannot reverse it.
Example: Generate a SHA-256 Hash
/**
* @NApiVersion 2.1
*/
define(['N/crypto'], (crypto) => {
function generateHash() {
const hash = crypto.createHash({
algorithm: crypto.HashAlg.SHA256
});
hash.update({
input: 'NetSuitePro',
inputEncoding: crypto.Encoding.UTF_8
});
const output = hash.digest({
outputEncoding: crypto.Encoding.HEX
});
log.debug('SHA256 Hash', output);
}
return { execute: generateHash };
});
โ Use hashing for:
- Password storage
- Token comparison
- Webhook validation
5. Creating HMAC Signatures (Most Common API Use Case)
HMAC combines a secret key + payload.
Example: HMAC SHA-256 Signature
define(['N/crypto'], (crypto) => {
function createSignature() {
const hmac = crypto.createHmac({
algorithm: crypto.HashAlg.SHA256,
key: 'my-secret-key'
});
hmac.update({
input: '{"orderId":12345}',
inputEncoding: crypto.Encoding.UTF_8
});
const signature = hmac.digest({
outputEncoding: crypto.Encoding.HEX
});
log.debug('HMAC Signature', signature);
}
return { execute: createSignature };
});
โ Commonly used for:
- Webhook verification (Shopify, Stripe, etc.)
- Secure API authentication
- Message integrity checks
6. Encryption & Decryption (Two-Way Security)
Encryption allows you to encrypt and later decrypt data.
Example: Encrypt Data
define(['N/crypto'], (crypto) => {
function encryptValue() {
const cipher = crypto.createCipher({
algorithm: crypto.EncryptionAlg.AES,
key: 'encryption-key'
});
let encrypted = cipher.update({
input: 'SensitiveData',
inputEncoding: crypto.Encoding.UTF_8,
outputEncoding: crypto.Encoding.BASE_64
});
encrypted += cipher.final({
outputEncoding: crypto.Encoding.BASE_64
});
log.debug('Encrypted Value', encrypted);
}
return { execute: encryptValue };
});
Example: Decrypt Data
const decipher = crypto.createDecipher({
algorithm: crypto.EncryptionAlg.AES,
key: 'encryption-key'
});
let decrypted = decipher.update({
input: encryptedValue,
inputEncoding: crypto.Encoding.BASE_64,
outputEncoding: crypto.Encoding.UTF_8
});
decrypted += decipher.final({
outputEncoding: crypto.Encoding.UTF_8
});
โ Use encryption for:
- Sensitive tokens
- Secure configuration values
- Temporary secure storage
7. Hashing vs Encryption โ Key Differences
| Feature | Hashing | Encryption |
|---|---|---|
| Reversible | โ No | โ Yes |
| Used for | Validation | Data protection |
| Common algorithms | SHA256 | AES |
| Best for | Passwords, signatures | Sensitive values |
Never store passwords using encryption โ always hash.
8. Best Practices for Using N/crypto
โ Never hardcode secrets in scripts
โ Store keys using API Secrets or secure fields
โ Do not log encrypted or hashed secrets
โ Always validate webhook signatures
โ Use SHA-256 or stronger algorithms
โ Rotate secrets regularly
โ Combine with N/encode for proper formatting
9. Common Mistakes to Avoid
โ Treating Base64 as encryption
โ Using weak algorithms
โ Logging cryptographic output
โ Hardcoding API secrets
โ Reusing keys across systems
10. Real-World Example: Webhook Validation Flow
- Receive webhook payload
- Generate HMAC using shared secret
- Compare generated signature with header value
- Accept or reject request
This is a must-have for secure inbound integrations.
11. Final Thoughts
The N/crypto module is the foundation of secure SuiteScript development. If youโre integrating with external systems, validating inbound requests, or handling sensitive data, this module is non-negotiable.
Used correctly, it enables:
- Secure API authentication
- Webhook integrity checks
- Encrypted data handling
- Compliance-ready integrations
Every NetSuite developer should master this module.
Discover more from The NetSuite Pro
Subscribe to get the latest posts sent to your email.
Leave a Reply