This site was built to compliment the existing NetSuite Professionals Slack Community by adding a means for members to easily find answers to common questions and to create a searchable database of those questions and answers.

NetSuite Professionals

Hi,
Hope you're doing well.
I'm currently integrating my application with NetSuite and working with the REST APIs. Initially, I set up OAuth 2.0 with the authorization code grant, but later discovered that the refresh token is only valid for 7 days, requiring users to manually re-authorize via redirection to NetSuite. This limitation is a blocker for my use case.
To resolve this, I switched to the *Client Credentials (M2M)* flow. According to the documentation, the access token in this flow is valid for 2 years, which suits my needs. However, I noticed another section in the documentation mentioning a *90-day* expiration, which has caused some confusion.
Here are the links I’ve been referring to:
• <https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_162686838198.html#subsect_162686947286|OAuth 2.0 Token-Based Authentication>
• <https://docs.oracle.com/en/cloud/saas/netsuite/ns-online-help/section_158255317571.html#subsect_160828987108|Managing Client Credentials>
Can anyone please help clarify the actual expiration period for tokens in the Client Credentials flow ?

skimming your links, the 90 day expiration is how often NetSuite changes their own certificates. As long as your system accepts netsuite's certs you shouldn't have a problem (i.e. NetSuite certs assumed to be signed by a CA your system already trusts, and future certs would also be naturally trusted).

 The 2 year expiration is the one that does matter to you as that applies to YOUR certificate.