1. What's New
  2. Release Notes
  3. NetSuite 2025.2 Release Notes
  4. Authentication

Authentication

NetSuite 2025.2 includes the following enhancements to authentication features:

Multiple NetSuite Sessions per User

NetSuite now supports multiple sessions per a single user. This means you can have NetSuite logged in on more devices or in more browsers at the same time. You can check how many active sessions you currently have on the new Active Sessions page, which you can access from your Settings portlet. You can also invalidate all of the other sessions in the same account on the Active Sessions page.

The maximum number of simultaneous valid sessions you can have is three.

OAuth 2.0 Certificate Expiration Notification

With the NetSuite 25.2 release, administrators of accounts that use OAuth 2.0 client credentials flow certificates receive an email indicating that the certificates are about to expire.

The certificate expiration notification is sent based on the following rules:

  • NetSuite sends a notification for certificates expiring in two months, one month, or 14 days.

  • If more certificates for the same account expire on the same day, they're included in one notification.

  • NetSuite doesn’t send notifications for revoked certificates.

  • NetSuite doesn’t send notifications for certificates uploaded with validity shorter than two months.

All administrators in the account receive the notification.

You must update the expiring certificate to ensure the integration keeps working properly.

Enhanced Check for Leaked Passwords

Previously, NetSuite performed multiple checks on new passwords during their creation. As of NetSuite 25.2, when you log in to NetSuite, your password is compared to a database of leaked passwords. Next time you log in, you will be prompted to change your password if it's in the database.

This feature increases security of your NetSuite account.

Update to the OAuth 2.0 Refresh Token Validity

As of NetSuite 25.2, you can change the validity of a refresh token for the OAuth 2.0 authorization code grant flow. This gives you more flexibility when you set up OAuth 2.0 for use with integrations.

The new default validity of a refresh token is two days. It previously was three hours. You can make other updates this value on the integration record associated with the integration.

You can also change the length of time after which the integration user must reauthenticate. Both of these values can be changed to anything between one hour and 720 hours (thirty days in hours). The option to change these values only applies to public clients.

General Notices