top of page
Search

Secure Your NetSuite Customizations with SuiteScript: Using SecureStrings and API Secrets for Safer Integrations

  • Jul 2, 2025
  • 3 min read

When it comes to NetSuite security best practices, one of the first things that comes to mind is credentials storage. As a technical consultant, this has been a key consideration while building new integrations, ensuring our customers that their passwords and tokens are not only safely stored but also handled securely throughout the code. In this article, we will review NetSuite’s API Secrets functionality and explore the different SuiteScript modules that support the secure management and use of sensitive credentials.

Content:

What Are NetSuite API Secrets and How Do They Work?

NetSuite provides a secure mechanism for storing and managing API secrets via Setup > Company > Preferences > API Secrets. Each secret stores a single password or token, and you can control access by specifying which scripts and roles are permitted to use each secret.


To use API Secrets in SuiteScript, NetSuite provides support through several modules:


How to Use SecureStrings for Authentication in NetSuite

To securely pass API credentials during integration, use the N/https module’s createSecureString method. This creates an https.SecureString from a GUID or a secret, encapsulating sensitive information. To create a secure string from a secret, follow this example:


let strMyAuthenticationHeader = https.createSecureString({           input: `{custsecret_api_secret_scriptid}` 
   });

Or, for bearer token authentication:


let strMyAuthenticationHeader = https.createSecureString({
           input: `Bearer {custsecret_token_api_secret_scriptid}`
});

 

Secure strings can't be manipulated like regular strings, but there are helpful methods available:

Building a Basic Authentication Header with SecureStrings

A common use case for these methods is building a Basic Authentication header. This involves base64-encoding the username:password combination and prefixing it with "Basic ".


Here’s an example based on NetSuite's documentation:


//From your user and password API secrets        
const strUsername = "custsecret_api_username";
const strPassword = "custsecret_api_password";

// Create a BASE-64 encoded name:password pair
const secStringKeyInBase64 = https.createSecureString({
    input: `{${ strUsername }}:{${ strPassword }}`
});

secStringKeyInBase64.convertEncoding({
    toEncoding: encode.Encoding.BASE_64,
    fromEncoding: encode.Encoding.UTF_8
});

// Construct the Authorization header
const secStringBasicAuthHeader = https.createSecureString({
    input: "Basic "
});

secStringBasicAuthHeader.appendSecureString({
  secureString: secStringKeyInBase64,
  keepEncoding: true
});

// Send the request to third party with the Authorization header
const objAPIResponse = https.get({
 url: "myUrl",
 headers: {
        "Authorization": secStringBasicAuthHeader
    }
});

Conclusion

Securing API credentials is no longer a nice-to-have—it's a must in any NetSuite integration. With NetSuite’s API Secrets and the SuiteScript SecureString methods, developers have the tools to protect sensitive data without resorting to insecure workarounds or hardcoding secrets into scripts. While SecureStrings do introduce some complexity, they offer a safe and robust way to manage authentication details in SuiteScript.


As you design your next integration or review existing code, take the time to migrate any plaintext credentials into API Secrets and refactor your scripts to use SecureStrings. It’s a small step that can make a significant difference in your NetSuite environment’s security posture.


By Carolina Gorriarán, Solutions Architect


Interested in learning more?







FAQS

What are NetSuite API Secrets?

NetSuite API Secrets are a secure mechanism for storing and managing passwords and tokens, accessible via Setup > Company > Preferences > API Secrets. Each secret stores a single password or token, and access can be controlled by specifying which scripts and roles are permitted to use it.

Which SuiteScript modules support NetSuite API Secrets?

NetSuite provides support for API Secrets through three SuiteScript modules: N/crypto via the crypto.createSecretKey(options) method, N/sftp for establishing secure connections using stored secrets, and N/https for creating secure strings.

What is a SecureString in NetSuite SuiteScript?

A SecureString in NetSuite is an https.SecureString object created via the createSecureString(options) method of the N/https module, from a GUID or a secret. It encapsulates sensitive information such as passwords or tokens, and cannot be manipulated like a regular string.

How do you use SecureStrings in NetSuite SuiteScript?

SecureStrings support three methods: SecureString.appendString(options) to concatenate a plain string, SecureString.appendSecureString(options) to concatenate two secure strings, and SecureString.replaceString(options) to replace a string or pattern within the secure string.

How do you build a Basic Authentication header using SecureStrings in NetSuite?

A Basic Authentication header is built by creating a SecureString from the username and password API secrets, encoding the combination in Base64 using convertEncoding(), prefixing it with "Basic ", and passing it as the Authorization header in the https.get() request.

Is it safe to hardcode credentials in NetSuite SuiteScript?

No, hardcoding credentials in scripts is insecure. NetSuite's API Secrets and SecureString methods allow developers to protect sensitive data without resorting to insecure workarounds, making them essential for any NetSuite integration.


bottom of page