Anyway to communicate to a NetSuite RESTlet without authentication? Maybe that's not secure enough so is not an option?

No, but you could do this with a Suitelet

Is there a way to provide a large webhook payload to a suitelet?

For webhooks, use externally available Suitelet.

I achieved the above by having the hook (which was Slack in my case) talk to an SSP application in NS. The SSP application didn’t require auth, but could run SuiteScript to generate the oauth headers and then pass on the payload + headers to a Suitelet.

The issue with externally available suitelets and webhooks is that NetSuite requires a specific user-agent header that most webhooks don't allow you to set

We've got a little $5/month php server to solve this problem - have the webhook call the right php script on that server, and then the server forwards the webhook data on to NetSuite (either RESTlet or available-without-login Suitelet depending on the use-case). It's not the quickest solution to set up but it's pretty easy and cheap once you've got the server running.

Thanks for replies. Really appreciate this. @jen If I tried an SSP application, couldn't that communicate with my RESTlet without any authentication needed?

@MTNathan funny, we originally used a PHP server too 🙂

OK @jen that makes sense to me. Seems like anyway I cut it, I'm going to need some middleware 😕

Yeah this was my conclusion when I needed to achieve the same concept

these days I would probably lean on cloud functions rather than a full fledged server?

Yup, I used a Google cloud function for this at my previous place. https://stackoverflow.com/a/58514482. The usage fell well within the free tier.

Thank you for this @michoel

When using an external Suitelet, I'd recommend learning about CORS as well, you'll likely encounter "issues" initially with CORS. Just read up on it if you don't already know, and see why the warnings etc occur. Just my 5 cents 🙂