NetSuite’s planned updates for web services will probably affect (or break almost) all of your NetSuite integrations in the next 12 to 24 months. It’s time to act. - part I

Oracle NetSuite’s Release Upgrade 2026.1 is underway, and the official Release Notes include a major announcement to “SuiteTalk”, which is NetSuite’s module reference for web services integration protocols (speak “API integrations” and “REST integrations”):

• Token-based Authentication via OAuth 1.0 will no longer be available for new integrations in 12 months.
  

  

• The SOAP web service protocol will no longer be available in the next 24 months. In fact, any integration with the 2023.1 SOAP endpoint is no longer supported with immediate effect.

  

For the source, check section “Authentication” in the 3 February edition on https://community.oracle.com/netsuite/english/api/v2/media/download-by-url?url=https%3A%2F%2Fus.v-cdn.net%2F6032262%2Fuploads%2FG17GK9W7P1C1%2Freleasenotes-2026-1-0.pdf.

In lieu, Oracle NetSuite advises as follows:

• Switch from Token-based Authentication to OAuth 2.0-based authentication for any new integration.

  • For machine-to-machine (server-to-server) integrations (probably 95% of your integration scenarios), use the new OAuth 2.0 flow with Client Credentials. Beware that, unlike many other established SaaS solutions, NetSuite has opted to use a JSON web token (JWT) rather than basic client credentials. (This is a frequently omitted key requirement, and we will write about the implications to your implementations in a separate article.)

  • For user-to-machine integrations (for example, for user interfaces in Suitelets), use the established OAuth 2.0 flow with Authorization Code Grant. (This effectively works like your Microsoft and Google app registrations.) Moreover, beware that this authentication flow should include Proof of Key for Code Exchange (PKCE) as it will become mandatory in a year’s time.

• Switch from SOAP Web Services to REST web services.

  • For an integration with a standardised web service protocol (speak standard definitions on how to create, read, update, and delete data in NetSuite), use the REST(ful) Web Services available since Release Upgrade 2020.1. NetSuite’s RESTful web service protocol effectively complies with Open API 3.0. Beyond that, though, the protocol offers powerful additions for database queries and workflow executions. In particular, do not miss out on the SuiteQL endpoints, which provide powerful SQL queries similar to GraphQL. (The adoption of SuiteQL is still not mainstream and we refer to Tim Dietrich’s fabulous work across the last 5 years for how you can push your database query integrations to the next level. It’s unlike any other ERP system and can only be matched by Shopify as of end of 2025.)

  • For an integration with bespoke script logic, say, a preliminary look-up of existing master data before posting transaction data, you may want to use the long-established RESTlet script framework. (Think of RESTlets like microservices executed on the back of web service endpoints: RESTlets allow executing multiple tasks in a single web service request and then, also returning bespoke data and error messages in the web service response to your external system. Say, you want to record a new event or sales order in NetSuite and create the customer or contact record(s) along the way, but only if said master data would be new to NetSuite, then RESTlets allow you to do all that in a single web service request. Such a microservice approach reduces the number of integration calls, ensures no broken or fragmented integration calls, where you create only parts of the data, and reduces the logic on the sender side, because the Netsuite-specific logic is running within Netsuite. In short, you send your data to NetSuite and the RESTlet scripts do the thinking.)

  Whether to use standardised REST(ful) web services or the good old RESTlet framework is a key decision in your partner’s standard or your own custom integration strategy.

  • As powerful as the RESTlet framework may be, if you are a software provider or SuiteApp partner building a standard integration for your (hybrid) SuiteApp, go for REST(ful) Web Services and run the execution logic in your integration layer. Your developers will probably not become NetSuite SuiteScript experts, you start neglecting the (more frequent) upgrades and changes to SuiteScript and record logic, trouble and confuse your customers with frequent updates to SuiteApps or SuiteBundles, and ultimately, both you as well as your customers will suffer.

  • Similarly, if you are proud owner of a middleware or iPaaS platform, latest with the 2021.1 Release Upgrade, your integration platform is in more control and put to use when using REST(ful) web services. (There is a catch: Some iPaaS providers charge by web service request rather than integration flow/execution. As a result, the multiple calls via REST(ful) web services drive up your costs. Contact us to assess your risk and the remedies. We know pretty much all integration platforms common to NetSuite integrations.)

  • If you are building a custom integrations, you might want to go for RESTlets still. Likewise, if you have reasons to circument your iPaaS platform, say, for highly confidential data or legal requirements such as with payment data, use RESTlets to maximise compliace and security.
    

For most of existing and new integrations, REST(ful) web services with authentication via JWT-enabled client credentials is the new golden standard. Given the timeline, you need to get your integrations there as soon as possible.

That means, not next year, not this summer, but now. Finance integrations are meant to be resilient. Think we-need-to-run-that-payroll-and-file-those-taxes resilient. In contrast to a workflow for your support tickets or a customer record in a CRM system, you cannot afford 95% accuracy. Your employees, customers, suppliers, auditors, and government agencies won’t let you afford that one. If you doubt that Oracle NetSuite follows through with these changes, you may not be alone, but the best-practice nature and past changes to the integration layer provide ample precedents that the change will happen. More about the fascinating history of NetSuite web services in another blog entry soon to follow.

Given that REST(ful) web services with authentication via JWT-enabled client credential still present a minority of all integrations deployed, the work at hand is even bigger. So, let’s get to work. Contact us today if you need help.