CloudExtend Outlook for NetSuite and CloudExtend Excel for NetSuite users are able to take advantage of NetSuite's secure login flow that supports two-factor authentication, Single Sign-On, and more. 

When a user has the User Access Tokens permission enabled (recommended by NetSuite for integrations)  a token id and secret are automatically generated for the user when logging in. This token id and secret are specific to the role the user is logging in with, ie if they are logging in under a Sales Manager role this token id and secret are tied to that user's id and role.

When a user logs out of NetSuite via CloudExtend (Menu icon> Log out) the token is revoked.

NetSuite allows a maximum of 25 active tokens per user. CloudExtend will generate these tokens upon login but can only revoke the current token during logout. 

For security reasons, when using Outlook on the web, CloudExtend uses the browser's session storage. This storage session is cleared whenever a user explicitly closes the Outlook on the web browser tab (this is beyond our control). If this happens before the user logs out of NetSuite via CloudExtend (menu->log out) the session details including the reference to the tokens are all lost, hence it is not possible to automatically revoke the token, and build-up will occur.
Note that if you exit your browser while the Outlook tab is still open (and you are logged in to NetSuite via CloudExtend) and later open your browser and restore all tabs the session storage will remain intact. 

To avoid token build-up in this scenario be sure to log out of NetSuite via CloudExtend (Menu > Log out) prior to closing your browser tab.

Microsoft stores information in the user's browser cache. CloudExtend does not control which browser cache is used and Microsoft will choose Edge for users on a recent Windows build and Internet Explorer for users on an older Windows build.  If a user has their browser set to clear cache on exit then the logout action will not occur and the user's token will not be revoked and over time they will reach the max limit of 25 tokens.

If a user does not log out via CloudExtend (menu icon->log out) and subsequently clears their browser cache then the next time they log in they will be forced to create a new set of tokens since the reference to the original set was cleared in the browser cache. Further, since the user did not explicitly log out the original set of tokens were not revoked.

If a user has reached the 25 token limit the older tokens can be revoked by navigating to Setup > User Roles> Access Tokens and revoking the desired tokens.