The TBA Sunset Isn’t the Emergency Everyone’s Selling You

Every NetSuite consultant is suddenly talking about TBA.

Deadlines. Broken integrations.
“You need to act now.”

Maybe they’ve got a migration package ready. Maybe they just want engagement.

Either way, the message is the same:

Panic.

I’m not panicking. You shouldn’t either.

What NetSuite actually said

Starting in 2027.1, you can’t create new integrations using Token-Based Authentication.

That’s it.

Existing integrations keep working.

There is no announced cutoff where your current TBA integrations just stop.

Read that again:

New integrations. Not existing ones.

We’ll get a real sunset eventually. Probably tied to SOAP going away.

But that hasn’t been announced.

Anyone telling you your integrations will break in 2027 is either:

• misinformed
• or selling you something

The migration isn’t the hard part

If you’re building anything new, you should already be using OAuth 2.0 M2M.

It’s better:

• short-lived tokens
• cleaner key rotation
• standard auth that real developers recognize

The actual migration?

It’s mechanical:

1. Generate an RSA key pair
2. Upload the cert to the integration record
3. Switch the integration to OAuth 2.0 (client credentials)
4. Generate a JWT instead of signing OAuth 1.0
5. Exchange it for an access token

That looks like a lot.

It isn’t.

The first one takes a day because you’re fighting NetSuite quirks.

The second one is an afternoon.

After that, it’s just repetition.

The stuff that will actually trip you up

This is where people lose time.

Not because it’s hard — because it’s not obvious.

NetSuite wants PS256. Not RS256.

Most libraries default to RS256.

NetSuite won’t accept it.

You’ll get invalid_grant and no useful explanation.

If your token looks right and you’re stuck, check that first.

This one will waste your time if you don’t know it:

Pre-auth failures don’t show up in the Login Audit Trail.

If NetSuite rejects your JWT before auth runs:

• nothing gets logged
• it looks like your request never hit NetSuite

It did.

NetSuite just rejected it before it ever got that far.

If your audit trail is empty, your problem is in the JWT.

JWT claims have to be exact.

• aud is the token endpoint, not your account
• exp should be short
• iss, scope, iat all need to match exactly

Get one wrong → back to invalid_grant.

2FA will break your integration.

TBA roles can’t use it.
M2M doesn’t support it.

If auth is failing and 2FA is enabled, that’s your answer.

None of this is hard.

It’s just unfamiliar the first time.

Who to be skeptical of

If someone is quoting you five figures to migrate a single working integration off TBA…

ask them to walk you through the JWT they generated last week.

If they pause, they haven’t done it.

This is becoming the next “we’ll fix your forms” project:

Real work.
Overpriced because it sounds complex.

The expertise is real.

The pricing often isn’t.

What to actually do

• Inventory your integrations
• Identify which ones use TBA
• Migrate one low-risk integration first
• Learn it once, repeat it across the rest

The takeaway

The sunset isn’t the problem.

Overpaying for something you don’t understand is.