https.requestSuitelet Drops options.external — No More Anonymous Outbound Requests

Oracle has updated the N/https module reference for https.requestSuitelet(options) to reflect a breaking change that shipped with 2024.1 (July rollout): the options.external parameter has been permanently removed.

What changed

• options.external is no longer a valid parameter. Any call that still passes it will have the parameter silently ignored (or may throw, depending on script context).
• https.requestSuitelet() can now only call internal Suitelets in trusted, authenticated contexts. It cannot be used for outbound HTTPS requests from anonymous client-side scripts — most notably SuiteCommerce shopper-facing pages.
• Governance remains at 10 units per call.
• The method is available in both client and server script types, introduced in 2023.1.

Remaining valid parameters

• options.scriptId (required) — script record ID
• options.deploymentId (required) — deployment record ID
• options.body — request body (PUT/POST/PATCH only)
• options.headers — HTTPS headers (authorization header is explicitly disallowed; error SSS_AUTHORIZATION_HEADER_NOT_ALLOWED)
• options.method — defaults to GET (no body) or POST (with body); set via https.Method enum
• options.urlParams — appended as query string

What to do

1. Search your codebase for any usage of options.external passed to https.requestSuitelet. Remove or refactor those calls.
2. Audit SuiteCommerce customizations — any client script that called requestSuitelet with external: true from an unauthenticated shopper session is now broken. Replace these with a direct https.get / https.post to an external endpoint, or move the logic behind an authenticated Suitelet that the storefront calls via a different mechanism (e.g., a Commerce API extension or service controller).
3. Review error handling — confirm your scripts account for the documented error codes, especially SSS_INVALID_SCRIPT_ID_1 and INVALID_SCRIPT_DEPLOYMENT_ID_1, since the method now only resolves internal Suitelet targets.
4. Note the governance cost — each call still costs 10 units. If you are migrating logic that previously used external into a two-hop pattern (client → internal Suitelet → external service), budget for the additional governance on the server-side leg.

Caveat: The source page is an API reference, not a traditional release note. Oracle does not specify the exact build or patch where enforcement began beyond “July in NetSuite 2024.1.” If your account was on an earlier rollout phase, the removal may have taken effect before or after other tenants. Verify behavior in your Sandbox before relying on any workaround.