Short answers to the questions we hear most. Don't see yours? Email tim@suitestep.com.
No. NetSuite is a registered trademark of Oracle America, Inc. Chartstone is an independent third-party tool operated by SuiteStep, LLC. Chartstone is not endorsed by, sponsored by, or built in cooperation with Oracle or its subsidiaries.
It stays on your computer. Chartstone runs entirely locally — the embedded NetSuite browser, the local HTTP server, and the request log all live on your machine. Your NetSuite data is returned only to the client that called your local server (your AI agent, your script, your spreadsheet).
The two times Chartstone reaches the network on its own behalf are:
(a) at subscription verification, when your email is POSTed to
chartstone.io/verify/ for a Stripe customer lookup, and
(b) at launch, when the announcements feed at
chartstone.io/announcements/ is fetched. No NetSuite
data is ever sent to chartstone.io.
Your live NetSuite session. You log into the embedded browser the same way you always log into NetSuite. Cookies stay in the app's sandboxed session. Chartstone does not store, transmit, or have access to your NetSuite password. There are no API keys, no TBA tokens, and no OAuth client setup required.
No. You type your password directly into NetSuite’s own login form inside the embedded browser window — Chartstone never reads keystrokes, intercepts the form, or has access to the typed password at any point. Only the resulting session cookies (the same ones your normal browser would have) are visible to Chartstone, and those are what get attached to outbound API calls. 2FA codes work the same way — entered into NetSuite’s challenge page directly, never seen by Chartstone.
Yes — the same way your normal browser does. When you click Open NetSuite, the embedded window navigates to your account’s login URL and you go through the SSO flow as you normally would (Okta, Microsoft Entra, Google Workspace, ADFS — whatever your IdP is). Once SAML POSTs back to NetSuite and the session cookies are set, Chartstone is connected. No special handling on Chartstone’s side, no separate IdP integration to configure.
No. Chartstone reads cookies fresh from the embedded browser’s cookie jar on every outbound request — never caches them. When NetSuite rotates a cookie mid-session, the next request through Chartstone picks up the new value automatically. The bridge has no concept of a “stored session token” that could go stale.
Same family (Chromium), but the architecture is different. Chartstone embeds Chromium directly into the desktop app via Electron — so there’s one persistent browser instance with one persistent cookie jar, not a per-task spawn driven externally over the DevTools Protocol.
More importantly, the login flow is interactive, not headless: you see NetSuite’s actual login page in the embedded window, type your password yourself, and handle 2FA / SSO challenges directly. Chartstone never types credentials, scrapes the form, or simulates a human session — it just leverages the cookies that result from your real login. Closer mental model: imagine browsing into NetSuite normally, then opening a local terminal that proxies HTTP requests through your active tab’s session.
An HTTP server bound to 127.0.0.1 (loopback only) on a
port you choose. Every request requires a bearer token — a per-install
random secret stored in your OS keychain when available. Token
comparison is constant-time. Nothing on your network can reach it;
only processes on your own machine can.
The bearer token. Chartstone’s HTTP server binds to
127.0.0.1 only (no external network interface),
and every request requires a per-install random secret in
the Authorization: Bearer <secret> header,
compared in constant time. The secret lives in your OS
keychain (macOS Keychain or Windows DPAPI), so a website
you visit can’t read it out of cookies or
localStorage. Without the secret, a browser request to your
loopback gets a 401 just like any other unauthenticated
caller.
No. You don’t install anything in NetSuite, you don’t create an Integration Record, you don’t deploy a SuiteApp or RESTlet, and you don’t need any new permissions on your role. Chartstone runs entirely on your machine and uses the role you log in with as-is. The optional Chartstone Toolkit RESTlet is one extra capability you can deploy if you want full file-cabinet / customization access from your scripts; everything else works against stock NetSuite with zero footprint.
Helpful but not required. The default page Chartstone navigates to
before running ad-hoc scripts (/app/setup/country.nl?id=US)
requires the ADMI_SETUPCOMPANY permission. Non-Admin
users can change it under
Preferences → Default script page to any record-edit
page their role can reach (e.g.
/app/common/entity/customer.nl?id=1). All other endpoints
work with whatever permissions your role has.
Yes. When you confirm a production account in the embedded browser, Chartstone shows a one-time confirmation dialog and stamps a PRODUCTION badge on your control panel for ongoing visibility. You're free to use it — just remember that any client talking to your local server will be acting against your live data.
Yes — exactly the same way it works with production. Sign
into the sandbox in the embedded window, click Use
this account, and Chartstone is connected. You can
switch between sandbox and production any time by signing
out and signing back in to the other (or use NetSuite’s
Multiple Sessions feature to keep both connected at once —
see the multi-session entry below). Sandbox is the right
place to test /script calls and anything else
that mutates data.
Any agent that can make HTTP requests with a Bearer token.
The local server speaks plain HTTP/JSON at
127.0.0.1:<port>, so anything that can
fetch or curl can call it:
Claude Code, Cursor,
Cline, Aider, custom MCP
servers, in-house agent frameworks, plain shell scripts,
Python notebooks, etc. The
Agents page
walks through Claude Code setup specifically; the same
pattern applies to anything else.
Same endpoints, same features, same security. Lite has per-launch usage caps (30 queries / 15 reports / 15 scripts per launch); Pro has no caps. Counters reset every time you launch the app, so light usage stays free indefinitely. See the pricing page for the side-by-side.
Yes. One Pro license is per-user, not per-account. Sign into any client’s NetSuite from your Chartstone install, click Use this account, and you’re working against their account with their role and permissions. Switch accounts whenever you change clients. There’s no separate per-client license, no usage cap that scales with the number of accounts, and Chartstone never persists client data outside their own NetSuite session — your install is just the bridge.
Chartstone ships as a signed macOS .dmg and a Windows
installer. Download from the
home page or under
Pricing.
First launch creates a per-install secret and stores it in the OS
keychain (Keychain on macOS, Credential Manager on Windows).
Update notifications are delivered through the in-app announcements feed at launch. New versions are published as fresh installer downloads on chartstone.io.
/script endpoint different?
/script and /restlet can execute arbitrary
code in your NetSuite session. Both default to disabled. Enable them
individually under Local HTTP server → Endpoints →
Manage only if you understand the implications: any client
that reaches your local server can run that code as you.
Open Chartstone, find the Subscription card, and click Manage subscription. That opens the Stripe customer portal where you can cancel, change payment method, or download invoices. Cancellation stops the next renewal — Pro features remain active until the end of the paid period, then the app reverts to Lite without losing any settings. We offer a pro-rata refund within 30 days of purchase.
Email tim@suitestep.com from the address you used at checkout. We’ll look up your key and re-send it within a business day.
A 128-bit random string that looks like
cs_live_a1b2c3…. We email it to you right after
you subscribe. Paste it into the
Subscription card in Chartstone and click
Verify — that’s the whole activation
flow. The key is yours; one subscription, one key, works on
any machine you sign in on.
Yes. Switch accounts (or roles) in the embedded NetSuite window and Chartstone auto-detects the change on the next "Use this account" confirm. One Pro subscription covers any number of accounts under your single user.
By default, NetSuite enforces one session per user: logging in from a second place (say, Chrome) invalidates the session Chartstone was already holding, and vice versa. Chartstone uses a normal NetSuite session, so it’s subject to the same rule.
The fix: enable NetSuite’s Multiple Sessions for 2FA-protected Users feature.
If a session gets stuck, you can recover from inside NetSuite: go to your Home Dashboard, find the Settings portlet, and click Active Sessions. That lists every active session on your user; click Invalidate on any older/stuck one to clear it out without resetting your good session.
If you can’t enable Multiple Sessions (no admin access, policy reasons), two reliable workarounds:
Click Log in the Endpoints section of the Local HTTP server card. The full ring buffer (up to 2,000 entries) is searchable in a modal. Daily JSONL files are kept on disk under your app data directory; the retention window is configurable under Preferences → Log retention (days) — default 30.
Email tim@suitestep.com. Replies usually within a business day.