Developer Support FAQs

DocuSign Developer Frequently Asked Questions (FAQ)

Here are answers to some of the most frequently asked questions we encounter from developers working with the DocuSign APIs.

Integration keys

Go Live

Authentication


Integration keys

Integration keys identify your application to DocuSign for the purpose of communicating with DocuSign APIs. Discover what integration keys are, who does and does not need an integration key, and how to manage them.


What is an integration key?

An integration key is a GUID that identifies an application that integrates with DocuSign REST and SOAP APIs. Integration keys are used by the DocuSign OAuth flows—Authorization Code Grant, Implicit Grant , and Jason Web Token (JWT) Grant—to obtain access tokens. Integration keys are not used to identify specific accounts or users.


Who needs an integration key?

Any organization or individual who is developing an application, plug-in, or process that sends API requests to DocuSign needs an integration key. For example, if the application, plug-in, or process you are creating uses the eSignature REST or eSignature SOAP API, you will need an integration key.


Who does not need an integration key?

Applications that do not need access tokens to call an API do not need integration keys. This includes PowerForms initiated via their URL, clickwraps that use the JavaScript code produced by DocuSign for embedding in web pages, and DocuSign Connect listeners that do not call a DocuSign API.


Who should administer the integration key?

Integration keys should be managed by the organization that owns the application or integration. Most commonly, DocuSign customers integrate DocuSign features into their existing internal or customer-facing applications. As the owner of their existing applications, they would be the owner and administrator of their integration keys.

In other cases, an implementation partner or third-party consultant may create an application or integration on behalf of a DocuSign customer. In these scenarios, the customer is the owner of the application or integration and would be responsible for management of related integration keys.

In cases where a ISV (Independent Software Vendor) partner builds something for resale, the ISV partner owns the application and would be responsible for administration of the key. ISVs should avoid requiring customers to create or manage integration keys to be used with their software.


What are the best practices for ISV applications regarding the creation and management of integration keys?

It is best practice for the creator (or owner) of an integration to create and manage any integration keys required to communicate with the DocuSign system. For our Independent Software Vendors (ISVs), we recommend this practice for two reasons:

  1. The Go Live process was designed for developers, and end users who are required to Go Live in order to use software that they have purchased through an ISV often have no background in software development. DocuSign Support has received significant feedback from users related to the challenges of taking an integration key live.
  2. When an ISV requires their customers to use their own integration key, it is often unclear whom to contact when an issue with an integration is surfaced, on the part of both the customer who is using the application and the DocuSign Support team, who may need to refer the user to the application developer.
 

ISV SaaS applications that can secure their integration key and related secrets or RSA keys should use only one integration key for the application. This includes multi-tenant and multi-instance architectures.

Even if an instance of the application is dedicated to a single ISV customer, that instance should use the one integration key obtained by the ISV, so long as the integration key and its settings can be hidden from the ISV customer. For instanced applications, DocuSign prefers that the ISV’s customer not have access to the integration key; it should be managed and controlled by the ISV.

If the ISV creates an instance of the application for a customer, and the customer has complete control over the instance and its settings, then the customer needs to create an integration key.


How do I create an integration key?

Integration keys are created in developer sandbox accounts. Integration keys cannot be directly created on the production systems; please refer to API and Keys the DocuSign eSignature Admin Guide for reference.

Once a developer has built his or her application or integration, then the integration key is promoted to production through the Go Live process.

When a key is live in production, it is shown in the API and Keys section of eSignature Admin on the production account(s) of the administrator who promoted the key.


Go Live

Go Live is DocuSign's process for migrating an integration created in the demo environment to the production environment. Go Live is necessary before you can perform real transactions in your integration through the DocuSign APIs.


Why does DocuSign have a Go Live process?

The Go Live process is part of DocuSign’s audited trust processes. It helps ensure the stability of the DocuSign platforms and provides a programming check to the developer. The Go Live process is required for all new API integrations.


What is required to complete the Go Live process?

To go live with the eSignature API you need a developer sandbox account and integration key, 20 or more API calls run using the key in a 24-hour period, and an active production DocuSign account with a supported plan. You also need administrator privileges for the live production account to link the key.


Does the Go Live process cost anything?

No, there is no charge for the Go Live process, and you may promote as many integration keys to the production environment as you would like. All you need is a live DocuSign account on an appropriate plan to which to promote the key, as well as administrator privileges to the account.


How long does the Go Live process normally take?

The automated process can take anywhere from a few hours to three business days. If your integration completes 20+ transactions in 24 hours that comply with DocuSign's resource limits, in addition to having an active live DocuSign account and administrator access to the account, the process can take as little as a few hours.


Will my integration key change after Go Live?

No. After the Go Live process is completed, a new integration key is created in the production environment. The new production integration key will have the same value (GUID) as the developer sandbox integration key, but will otherwise be a completely separate key. The integration key will show a status of live on the developer sandbox account after Go Live completes successfully.

Note: Only the integration key is copied to production, not the configuration. Developers need to configure redirect URIs, secret(s), RSA key pairs and any other settings they wish to transfer from their developer sandbox to their production account.

What endpoint should I use to authenticate in the production environment after Go Live?

In the production environment post-Go Live, your application needs to be updated to use production endpoints and related values:

  • The URL for the authentication server needs to be updated to https://account.docusign.com
  • The base URI for API calls must also be changed: Call the UserInfo endpoint to determine the base URI and account information to interact with the DocuSign API service.
  • In addition, if the JSON Web Token (JWT) Grant authorization flow is used, remember to update the impersonated user’s GUID to the value of the API username on a production account.

What are the most common Go Live errors and what steps can I take to troubleshoot?

See the Go Live Troubleshooting Guide to discover how to handle common errors you may encounter during Go Live.


How do I enable and download API logs?

API logging is set on a per-user basis and can be enabled on the Privacy & Security page in your DocuSign account preferences. In the Request Logging section, you can Enable Logging, Disable Logging, Download Logs and Clear Logs.

Enabling logging will capture 50 requests and then disable logging automatically. Logs captured can be downloaded in the form of a ZIP file. If you need to capture more logs, you will need to clear the logs and enable logging again to capture 50 more requests; see API Request Logging for more details.

To see the API logs for your application, login to DocuSign eSignature as the user whose user ID is associated with the application’s access tokens, and then download the logs. If the application impersonates a user, only that user can download the relevant API logs.


Authentication

All integrations with DocuSign APIs must authenticate in order to make API calls.


What types of API authentication are supported? Are examples available?

DocuSign's eSignature REST API supports and has examples for Authorization Code Grant, Implicit Grant, and JSON Web Token (JWT) Grant authentication.


Detailed documentation on application consent is available in the Developer Center. Individual consent is obtained by directing the user to an authorization URI. An organization administrator can grant blanket consent to an application through the Organization module; however, this blanket consent only applies to users with email addresses under domains claimed by the organization.


What is a refresh token, and how is it used?

Refresh tokens are used in the Authorization Code Grant workflow to generate new authorization tokens without requiring end-user interaction. Standard refresh tokens last for 30 days from the initial consent grant. If the extended scope was granted, new refresh tokens can be generated as long as the currently held refresh token is less than 30 days old. Full documentation is available in the Developer Center.


Can I use the same integration key, client secrets, or RSA key pairs between the developer sandbox and production environments?

No. During the Go Live process, an integration key is transferred from developer sandbox to production. While the key's GUID will not change, the developer sandbox and production environments are separate instances, so new client secrets and RSA keypairs must be generated.


What scopes are supported in the eSignature API?

For the eSignature REST API, the scopes are signature, extended, and impersonation:
  • signature — Allows your application to create and send envelopes and obtain links to start signing sessions.
  • extended — Without this scope, a refresh token will last 30 days from the initial consent grant. With this scope, new refresh tokens can be generated indefinitely. This scope may only be used in Authorization Code Grant authentication.
  • impersonation — Allows your application to access a user’s account and act on their behalf even when that user is not present. This scope is only used by JWT Grant authentication.
 

Multiple scopes can be requested at once, separated by spaces in the authorization URL.


Can an OAuth access token's lifetime be changed?

No. JSON Web Token (JWT) grant tokens have a fixed lifetime of one hour and the Authorization Code Grant and Implicit Grant access tokens have a fixed lifetime of eight hours. If your application makes an API call with an expired token, it will encounter an authorization failure error and must request a new token to proceed.


Does DocuSign have OAuth code examples?

Yes. You can find OAuth code examples in our Developer Center: