Once your NetSuite RESTlet is deployed, the next step is calling it from external systems. In this tutorial, you’ll learn how to authenticate and send requests to your RESTlet using three popular tools: Postman, Python, and Node.js.
Authentication Overview
NetSuite RESTlets require authentication. The two main methods are:
- Token-Based Authentication (TBA) β uses consumer key/secret and token key/secret to generate an OAuth 1.0a signature.
- OAuth 2.0 β the modern approach using client credentials and bearer tokens.
In this tutorial, we’ll use TBA (OAuth 1.0a) since it’s the most widely used method for RESTlet integrations.
Your RESTlet URL
Your RESTlet URL follows this format:
https://[account-id].restlets.api.netsuite.com/app/site/hosting/restlet.nl?script=[script-id]&deploy=[deploy-id]
Find this URL in NetSuite under Customization > Scripting > Script Deployments > [your deployment] > External URL.
Method 1: Calling a RESTlet with Postman
Postman is the easiest way to test your RESTlet.
Step 1: Install the NetSuite Auth Helper (or use manual OAuth 1.0)
- Open Postman and create a new request.
- Set method to GET and paste your RESTlet External URL.
- Go to the Authorization tab.
- Select OAuth 1.0 as the type.
- Fill in the fields:
Consumer Key: [your TBA consumer key]
Consumer Secret: [your TBA consumer secret]
Access Token: [your TBA token key]
Token Secret: [your TBA token secret]
Signature Method: HMAC-SHA256 - Click Send.
Adding Query Parameters (GET)
Add parameters in the Params tab:
Key: id Value: 123
Sending a POST Body
Change method to POST, go to Body tab, select raw + JSON, and enter:
{"name": "Acme Corp", "email": "contact@acme.com"}
Method 2: Calling a RESTlet with Python
Use the requests-oauthlib library for OAuth 1.0a signing.
Install the Library
pip install requests requests-oauthlib
Python GET Request
from requests_oauthlib import OAuth1Session
ACCOUNT_ID = 'your_account_id'
CONSUMER_KEY = 'your_consumer_key'
CONSUMER_SECRET = 'your_consumer_secret'
TOKEN_KEY = 'your_token_key'
TOKEN_SECRET = 'your_token_secret'
RESTLET_URL = f'https://{ACCOUNT_ID}.restlets.api.netsuite.com/app/site/hosting/restlet.nl'
oauth = OAuth1Session(
CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=TOKEN_KEY,
resource_owner_secret=TOKEN_SECRET,
signature_method='HMAC-SHA256'
)
params = {'script': '123', 'deploy': '1', 'id': '456'}
response = oauth.get(RESTLET_URL, params=params)
print(response.json())
Python POST Request
import json
payload = {'name': 'Acme Corp', 'email': 'contact@acme.com'}
params = {'script': '123', 'deploy': '1'}
response = oauth.post(
RESTLET_URL,
params=params,
data=json.dumps(payload),
headers={'Content-Type': 'application/json'}
)
print(response.json())
Method 3: Calling a RESTlet with Node.js
Use the oauth-1.0a and axios libraries.
Install Dependencies
npm install axios oauth-1.0a crypto-js
Node.js GET Request
const axios = require('axios');
const OAuth = require('oauth-1.0a');
const CryptoJS = require('crypto-js');
const oauth = OAuth({
consumer: {
key: 'your_consumer_key',
secret: 'your_consumer_secret'
},
signature_method: 'HMAC-SHA256',
hash_function(base_string, key) {
return CryptoJS.enc.Base64.stringify(CryptoJS.HmacSHA256(base_string, key));
}
});
const token = {
key: 'your_token_key',
secret: 'your_token_secret'
};
const accountId = 'your_account_id';
const url = `https://${accountId}.restlets.api.netsuite.com/app/site/hosting/restlet.nl?script=123&deploy=1&id=456`;
const authHeader = oauth.toHeader(oauth.authorize({ url, method: 'GET' }, token));
axios.get(url, { headers: { ...authHeader, 'Content-Type': 'application/json' } })
.then(res => console.log(res.data))
.catch(err => console.error(err));
Common Errors and Fixes
- 401 Unauthorized β Check your TBA credentials and OAuth signature method (must be HMAC-SHA256).
- 403 Forbidden β The role assigned to the token may not have RESTlet access. Check permissions.
- 404 Not Found β Verify the script ID and deploy ID in your URL parameters.
- SSS_REQUEST_LIMIT_EXCEEDED β You’ve hit the request limit; add retry logic with exponential backoff.
Next Steps
Now that you can call RESTlets externally, explore the native NetSuite REST Record API for standard CRUD operations without custom scripts: NetSuite REST Record API: CRUD Operations with Real Examples.