What is the recommended authentication method for DocuSign API?

OAuth 2.0 is the recommended and most secure authentication method for all new DocuSign API integrations due to its token-based security and flexibility.

Can I use a username and password for DocuSign API authentication?

Yes, DocuSign API supports a legacy header-based authentication method using a username, password, and integrator key. However, this method is less secure than OAuth 2.0 and is not recommended for new integrations.

What is an Integration Key in DocuSign API?

An Integration Key, also known as a Client ID, is a unique identifier generated when you create an application in your DocuSign developer account. It is used in OAuth 2.0 flows to identify your client application.

How do I get an access token for DocuSign API?

Access tokens are obtained through an OAuth 2.0 grant flow (e.g., Authorization Code, Implicit, or JWT Grant) after a user or administrator grants consent to your application. The specific steps depend on the chosen grant type.

What is the difference between DocuSign's sandbox and production environments for authentication?

The sandbox (demo.docusign.net) is for development and testing, using separate integration keys and user accounts. The production environment (www.docusign.net) requires a go-live review process and uses different credentials for live operations.

How often do DocuSign access tokens expire?

DocuSign access tokens typically have a short lifespan, often expiring within an hour. Refresh tokens, obtained with certain OAuth 2.0 grants, allow your application to request new access tokens without requiring the user to re-authenticate.

What is PKCE and why is it important for DocuSign API authentication?

PKCE (Proof Key for Code Exchange) is an extension to the OAuth 2.0 Authorization Code Grant designed to prevent authorization code interception attacks, especially for public clients like mobile or single-page applications. It adds an extra layer of security by requiring a dynamically generated secret.

DocuSign API Authentication: Methods, Setup, and Security

DocuSign API authentication uses industry-standard protocols to secure access to e-signature functionalities. Developers can choose between OAuth 2.0 for robust, token-based authorization and legacy header authentication for specific integration patterns. Proper authentication ensures that API requests are authorized, protecting sensitive document workflows and user data.

Authentication overview

The DocuSign API requires authentication for all requests to ensure secure access to e-signature services and protect sensitive document data. This process verifies the identity of the application making the request and confirms its authorization to perform specific actions. DocuSign primarily leverages the OAuth 2.0 framework, which provides a secure and flexible method for delegated authorization without exposing user credentials directly to client applications. Additionally, a legacy header-based authentication method remains available for specific use cases.

Understanding the appropriate authentication flow is critical for integrating the DocuSign eSignature REST API effectively. The choice of method often depends on the application type, user interaction requirements, and security posture. OAuth 2.0, as defined by the IETF, is a protocol that allows an application to obtain limited access to a user's resources on an HTTP service, such as DocuSign, without giving away the user's password. Instead, it issues access tokens that grant specific permissions for a limited time OAuth 2.0 specification. DocuSign's implementation adheres to these standards, offering various grant types to suit different application architectures.

Supported authentication methods

DocuSign API supports both OAuth 2.0 and a legacy header-based authentication method.

OAuth 2.0

OAuth 2.0 is the recommended and most secure authentication method for new integrations. DocuSign supports several OAuth 2.0 grant types:

Authorization Code Grant: Best for web applications where the client secret can be securely stored on the server. This flow involves a redirect to DocuSign for user consent, after which an authorization code is exchanged for an access token and refresh token. This is the most common and secure flow for server-side applications DocuSign OAuth 2.0 overview.
Implicit Grant: Suitable for client-side applications (e.g., single-page applications) where the client secret cannot be securely stored. The access token is returned directly in the URL fragment after user consent. While simpler, it does not provide refresh tokens and has security considerations due to token exposure in the browser history.
JSON Web Token (JWT) Grant: Ideal for server-to-server integrations or scenarios where no user interaction is desired. The application authenticates itself using an RSA key pair and a JWT, asserting the user's identity. This bypasses the need for interactive user login once consent has been granted by an administrator DocuSign JWT Grant guide.
Client Credentials Grant: While not explicitly detailed as a primary user authentication method for DocuSign's eSignature API, it's a standard OAuth 2.0 flow for machine-to-machine communication where no user context is involved. DocuSign's JWT grant often covers similar server-to-server needs with user impersonation.

Legacy Header Authentication

This method involves passing a concatenated username, password, and integrator key in the X-DocuSign-Authentication HTTP header. This method is considered less secure than OAuth 2.0 as it directly handles user credentials and does not offer token refresh mechanisms or fine-grained consent management. It is generally deprecated for new integrations and should only be used for existing systems where migration to OAuth 2.0 is not feasible.

Authentication Method Comparison

Method	When to Use	Security Level
OAuth 2.0 (Authorization Code Grant)	Web applications (server-side) requiring user consent and refresh tokens.	High (Recommended)
OAuth 2.0 (Implicit Grant)	Client-side applications (SPAs) where client secret cannot be secured.	Medium (Token exposure in browser history)
OAuth 2.0 (JWT Grant)	Server-to-server integrations, automated processes without user interaction.	High (Requires admin consent, secure key management)
Legacy Header Authentication	Existing integrations that cannot migrate to OAuth 2.0 (deprecated for new).	Low (Direct credential exposure)

Getting your credentials

To authenticate with the DocuSign API, you need to obtain specific credentials from your DocuSign developer account. The process typically involves creating an integration in the DocuSign eSignature Admin console or the developer sandbox.

Create a Developer Account: If you don't have one, sign up for a free DocuSign developer account DocuSign Get Started guide. This provides access to the sandbox environment.
Create an App/Integration: In your developer account, navigate to "Apps and Keys." Click "Add App / Integration Key."
Configure OAuth 2.0 Settings:
- Integration Key (Client ID): This unique identifier is generated when you create your app.
- Client Secret: Generated alongside the integration key. Keep this confidential, especially for Authorization Code and Client Credentials grants.
- Redirect URIs: For Authorization Code and Implicit grants, you must register one or more callback URIs where DocuSign will redirect the user after authentication. These must exactly match the URIs used in your application.
- RSA Key Pair (for JWT Grant): For JWT authentication, you will generate an RSA key pair within the DocuSign platform. The private key remains with your application, while the public key is registered with DocuSign.
User ID: For JWT grant and legacy header authentication, you'll need the User ID of the DocuSign user whose actions your application will impersonate.

It's crucial to manage these credentials securely. Never hardcode secrets directly into your application code. Use environment variables, secret management services, or secure configuration files.

Authenticated request example

Below is an example of an authenticated request using Python with the DocuSign SDK, demonstrating the JWT Grant flow. This assumes you have already obtained an access token.

First, install the DocuSign Python SDK: pip install docusign-esign

import docusign_esign
from docusign_esign.client.api_client import ApiClient
import datetime

# --- Assume you have these values securely stored ---
INTEGRATION_KEY = "YOUR_INTEGRATION_KEY"
USER_ID = "YOUR_USER_ID"
PRIVATE_KEY_PATH = "/path/to/your/private_key.pem"
API_ACCOUNT_ID = "YOUR_ACCOUNT_ID" # Obtain from user info after initial authentication
BASE_PATH = "https://demo.docusign.net/restapi" # Use demo.docusign.net for sandbox

def get_access_token_jwt():
    # This function would handle the JWT grant flow to get a new token when needed
    # For brevity, assume a valid token is already acquired for this example
    # In a real application, you'd use docusign_esign.OAuth.request_jwt_user_token
    return "YOUR_VALID_ACCESS_TOKEN"

# Get an access token (in a real app, this would involve the JWT flow)
access_token = get_access_token_jwt()

# Configure API client
api_client = ApiClient(host=BASE_PATH)
api_client.set_default_header("Authorization", f"Bearer {access_token}")

# Initialize Envelopes API
envelopes_api = docusign_esign.EnvelopesApi(api_client)

# Example: List envelopes for the authenticated user
try:
    # Set filter parameters
    from_date = (datetime.datetime.now() - datetime.timedelta(days=30)).strftime("%Y/%m/%d")
    options = docusign_esign.ListStatusChangesOptions()
    options.from_date = from_date

    # Make the API call
    response = envelopes_api.list_status_changes(account_id=API_ACCOUNT_ID, options=options)

    print("Successfully retrieved envelopes:")
    for envelope in response.envelopes:
        print(f"  Envelope ID: {envelope.envelope_id}, Status: {envelope.status}")

except docusign_esign.ApiException as e:
    print(f"Error calling DocuSign API: {e}")
    if e.body:
        print(f"Response body: {e.body}")

This example demonstrates setting the Authorization header with a Bearer token, which is standard for OAuth 2.0 authenticated requests Bearer Token Usage RFC 6750. The API_ACCOUNT_ID is specific to the DocuSign account and can be obtained from the user information endpoint after successful authentication.

Security best practices

Adhering to security best practices is paramount when integrating with the DocuSign API to protect sensitive documents and user data.

Always Use OAuth 2.0: Prioritize OAuth 2.0 for all new integrations over legacy header authentication. It provides better security through token-based access, refresh token mechanisms, and delegated consent.
Secure Client Secrets: For Authorization Code Grant, store your client secret securely on your server. Never expose it in client-side code (e.g., JavaScript in browsers or mobile apps). Use environment variables, secret management services (like AWS Secrets Manager or Azure Key Vault), or secure configuration files.
Protect Private Keys (JWT): If using JWT Grant, safeguard your RSA private key. It should never be committed to source control or exposed publicly. Rotate keys periodically.
Validate Redirect URIs: Ensure that all Redirect URIs registered in your DocuSign integration settings are legitimate and fully controlled by your application. Mismatched or malicious redirect URIs can lead to authorization code or token interception.
Implement PKCE: For public clients (mobile and single-page applications) using Authorization Code Grant, implement Proof Key for Code Exchange (PKCE). PKCE adds an extra layer of security against authorization code interception attacks OAuth 2.0 PKCE specification.
Handle Access Tokens Securely: Access tokens have a limited lifespan. Store them in memory for the duration of their validity, or securely in an encrypted, short-lived cache. Never store them in local storage (browser) or plain text.
Use Refresh Tokens Wisely: Refresh tokens allow your application to obtain new access tokens without re-prompting the user. Store refresh tokens securely and use them only when necessary. Revoke them if compromised.
Error Handling and Logging: Implement robust error handling for authentication failures. Log relevant (non-sensitive) information for auditing and troubleshooting, but never log sensitive credentials or tokens.
Regular Audits: Periodically review your integration's authentication setup and access logs for any suspicious activity or unauthorized access attempts.
Least Privilege: When requesting scopes during OAuth consent, ask for only the minimum permissions necessary for your application to function. This limits the potential impact of a compromised token.

DocuSign API Authentication: Methods, Setup, and Security

Authentication overview

Supported authentication methods

OAuth 2.0

Legacy Header Authentication

Authentication Method Comparison

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by

Authentication overview

Supported authentication methods

OAuth 2.0

Legacy Header Authentication

Authentication Method Comparison

Getting your credentials

Authenticated request example

Security best practices

Related

Frequently asked questions

Reviews

Discussion

Written by