Developer FAQs - DocuSign
DocuSign Developer Frequently Asked Questions (FAQ)
Here are answers to some of the most frequently asked questions we encounter from developers working with the DocuSign APIs.
- What is an integration key?
- Who needs an integration key?
- Who does not need an integration key?
- Who should administer the integration key?
- What are the best practices for ISV applications regarding the creation and management of integration keys?
- How do I create an integration key?
- Why does DocuSign have a Go Live process?
- What is required to complete the Go Live process?
- Does the Go Live process cost anything?
- How long does the Go Live process normally take?
- Will my integration key change after Go Live?
- What endpoint should I use to authenticate in the production environment after Go Live?
- What are the most common Go Live errors and what steps can I take to troubleshoot?
- How do I enable and download API logs?
- What constitutes 20+ successful calls for Go Live?
- During Go Live, my production account was not accepted, with the message “The account is not the right type.” What type of account is needed?
- What types of API authentication are supported? Are examples available?
- How can I find my user ID for authentication?
- How do I grant consent to an application?
- What is a refresh token, and how is it used?
- Can I use the same integration key, client secrets, or RSA key pairs between the developer sandbox and production environments?
- What scopes are supported in the eSignature API?
- Can an OAuth access token's lifetime be changed?
- Does DocuSign have OAuth code examples?
- How do I grant consent for the JSON Web Token (JWT) Grant?
- When using JWT authentication, how do I troubleshoot an invalid_grant or other errors?
- Why am I still getting "consent_required" after granting Administrative consent?
- Why am I getting UserNotFound when I make an UserInfo call with a valid token?
- Why aren't my template roles matching?
- What are some of the possible behaviors and issues during template matching?
- How to create and prefill tab values on a template?
- Can the eSignature REST API override the account’s default reminders and expiration?
- How can I avoid having my application throttled by DocuSign API rate limits?
Integration keys identify your application to DocuSign for the purpose of communicating with DocuSign APIs. Discover what integration keys are, who does and does not need an integration key, and how to manage them.
What is an integration key?
An integration key is a GUID that identifies an application that integrates with DocuSign REST and SOAP APIs. Integration keys are used by the DocuSign OAuth flows—Authorization Code Grant, Implicit Grant , and JSON Web Token (JWT) Grant—to obtain access tokens. Integration keys are not used to identify specific accounts or users.
Who needs an integration key?
Any organization or individual who is developing an application, plug-in, or process that sends API requests to DocuSign needs an integration key. For example, if the application, plug-in, or process you are creating uses the eSignature REST or eSignature SOAP API, you will need an integration key.
Who does not need an integration key?
Who should administer the integration key?
Integration keys should be managed by the organization that owns the application or integration. Most commonly, DocuSign customers integrate DocuSign features into their existing internal or customer-facing applications. As the owner of their existing applications, they would be the owner and administrator of their integration keys.
In other cases, an implementation partner or third-party consultant may create an application or integration on behalf of a DocuSign customer. In these scenarios, the customer is the owner of the application or integration and would be responsible for management of related integration keys.
In cases where a ISV (Independent Software Vendor) partner builds something for resale, the ISV partner owns the application and would be responsible for administration of the key. ISVs should avoid requiring customers to create or manage integration keys to be used with their software.
What are the best practices for ISV applications regarding the creation and management of integration keys?
It is best practice for the creator (or owner) of an integration to create and manage any integration keys required to communicate with the DocuSign system. For our Independent Software Vendors (ISVs), we recommend this practice for two reasons:
- The Go Live process was designed for developers, and end users who are required to Go Live in order to use software that they have purchased through an ISV often have no background in software development. DocuSign Support has received significant feedback from users related to the challenges of taking an integration key live.
- When an ISV requires their customers to use their own integration key, it is often unclear whom to contact when an issue with an integration is surfaced, on the part of both the customer who is using the application and the DocuSign Support team, who may need to refer the user to the application developer.
- ISV Partners, participating in the ISV Referral Program, should email firstname.lastname@example.org or their Partner Representatiive to schedule an App review prior to Go-Live process.
ISV SaaS applications that can secure their integration key and related secrets or RSA keys should use only one integration key for the application. This includes multi-tenant and multi-instance architectures.
Even if an instance of the application is dedicated to a single ISV customer, that instance should use the one integration key obtained by the ISV, so long as the integration key and its settings can be hidden from the ISV customer. For instanced applications, DocuSign prefers that the ISV’s customer not have access to the integration key; it should be managed and controlled by the ISV.
If the ISV creates an instance of the application for a customer, and the customer has complete control over the instance and its settings, then the customer needs to create an integration key.
How do I create an integration key?
Integration keys are created in developer sandbox accounts. Integration keys cannot be directly created on the production systems; please refer to API and Keys the DocuSign eSignature Admin Guide for reference.
Once a developer has built his or her application or integration, then the integration key is promoted to production through the Go Live process.
When a key is live in production, it is shown in the API and Keys section of eSignature Admin on the production account(s) of the administrator who promoted the key.
Go Live is DocuSign's process for migrating an integration created in the demo environment to the production environment. Go Live is necessary before you can perform real transactions in your integration through the DocuSign APIs.
Why does DocuSign have a Go Live process?
The Go Live process is part of DocuSign’s audited trust processes. It helps ensure the stability of the DocuSign platforms and provides a programming check to the developer. The Go Live process is required for all new API integrations.
What is required to complete the Go Live process?
To go live with the eSignature API you need a developer sandbox account and integration key, 20 or more API calls run using the key in a 24-hour period, and an active production DocuSign account with a supported plan. You also need administrator privileges for the live production account to link the key.
Does the Go Live process cost anything?
No, there is no charge for the Go Live process, and you may promote as many integration keys to the production environment as you would like. All you need is a live DocuSign account on an appropriate plan to which to promote the key, as well as administrator privileges to the account.
How long does the Go Live process normally take?
The automated process can take anywhere from a few hours to three business days. If your integration completes 20+ transactions in 24 hours that comply with DocuSign's resource limits, in addition to having an active live DocuSign account and administrator access to the account, the process can take as little as a few hours.
Will my integration key change after Go Live?
No. After the Go Live process is completed, a new integration key is created in the production environment. The new production integration key will have the same value (GUID) as the developer sandbox integration key, but will otherwise be a completely separate key. The integration key will show a status of live on the developer sandbox account after Go Live completes successfully.
What endpoint should I use to authenticate in the production environment after Go Live?
In the production environment post-Go Live, your application needs to be updated to use production endpoints and related values:
- The URL for the authentication server needs to be updated to https://account.docusign.com
- The base URI for API calls must also be changed: Call the UserInfo endpoint to determine the base URI and account information to interact with the DocuSign API service.
- In addition, if the JSON Web Token (JWT) Grant authorization flow is used, remember to update the impersonated user’s GUID to the value of the API username on a production account.
What are the most common Go Live errors and what steps can I take to troubleshoot?
See the Go Live Troubleshooting Guide to discover how to handle common errors you may encounter during Go Live.
How do I enable and download API logs?
API logging is set on a per-user basis and can be enabled on the Privacy & Security page in your DocuSign account preferences. In the Request Logging section, you can Enable Logging, Disable Logging, Download Logs and Clear Logs.
Enabling logging will capture 50 requests and then disable logging automatically. Logs captured can be downloaded in the form of a ZIP file. If you need to capture more logs, you will need to clear the logs and enable logging again to capture 50 more requests; see API Request Logging for more details.
To see the API logs for your application, login to DocuSign eSignature as the user whose user ID is associated with the application’s access tokens, and then download the logs. If the application impersonates a user, only that user can download the relevant API logs.
What constitutes 20+ successful calls for Go Live?
To pass the go-live process, you'll need to make 20 or more consecutive successful API calls that fall within our guidelines. For additional information, please see our API Rules and Limits documentation.
During Go Live, my production account was not accepted, with the message “The account is not the right type.” What type of account is needed?
The production account used to manage your integration key in production must be a Business Pro account or higher. Ask your DocuSign salesperson if you have questions.
All integrations with DocuSign APIs must authenticate in order to make API calls.
What types of API authentication are supported? Are examples available?
How can I find my user ID for authentication?
While you can use the API to query for the user ID for any member of your account, you need one user ID to get started with JWT Authentication. To find your own user ID, navigate to Admin > API and Keys. To find the user ID for any other member of the account, navigate to Admin > Users > Edit.
How do I grant consent to an application?
Detailed documentation on application consent is available in the Developer Center. Individual consent is obtained by directing the user to an authorization URI. An organization administrator can grant blanket consent to an application through the Organization module; however, this blanket consent only applies to users with email addresses under domains claimed by the organization.
What is a refresh token, and how is it used?
Refresh tokens are used in the Authorization Code Grant workflow to generate new authorization tokens without requiring end-user interaction. Standard refresh tokens last for 30 days from the initial consent grant. If the extended scope was granted, new refresh tokens can be generated as long as the currently held refresh token is less than 30 days old. Full documentation is available in the Developer Center.
Can I use the same integration key, client secrets, or RSA key pairs between the developer sandbox and production environments?
No. During the Go Live process, an integration key is transferred from developer sandbox to production. While the key's GUID will not change, the developer sandbox and production environments are separate instances, so new client secrets and RSA keypairs must be generated.
What scopes are supported in the eSignature API?For the eSignature REST API, the scopes are signature, extended, and impersonation:
- signature — Allows your application to create and send envelopes and obtain links to start signing sessions.
- extended — Without this scope, a refresh token will last 30 days from the initial consent grant. With this scope, new refresh tokens can be generated indefinitely. This scope may only be used in Authorization Code Grant authentication.
- impersonation — Allows your application to access a user’s account and act on their behalf even when that user is not present. This scope is only used by JWT Grant authentication.
Multiple scopes can be requested at once, separated by spaces in the authorization URL.
Can an OAuth access token's lifetime be changed?
No. JSON Web Token (JWT) grant tokens have a fixed lifetime of one hour and the Authorization Code Grant and Implicit Grant access tokens have a fixed lifetime of eight hours. If your application makes an API call with an expired token, it will encounter an authorization failure error and must request a new token to proceed.
Does DocuSign have OAuth code examples?
Yes. You can find OAuth code examples in our Developer Center:
How do I grant consent for the JSON Web Token (JWT) Grant?
Detailed documentation on application consent specific to the JWT Grant is available in the Developer Center.
JWT consent can be granted administratively by the system administrator if your account includes the Access Management feature (previously known as the “org admin” feature) and you have claimed the email domain of the impersonated users’ email addresses.
JWT consent can also be granted individually; each user who will be impersonated must grant permission themselves.
To grant consent individually, use the same consent process as Authorization Code Grant with a few exceptions:
- The scopes must include signature and impersonation (and perhaps other scopes too, depending on the API you’ll be using).
- Don't use the authorization code that is returned to request a token. Just ignore it: the important side effect is that the user has granted consent to your integration key.
- The consent is stored on DocuSign servers until it is revoked by a user, so typically, you only need to get user consent once.
When using JWT authentication, how do I troubleshoot an invalid_grant or other errors?
The invalid_grant error is a generic error response that means something is incorrect in the JWT assertion. In order to determine what is wrong, refer to the error_description parameter in the response. If the error_description isn't readily available in your application, we recommend setting up error logging that captures the full error response.
Authentication error responses:
- consent_required: If using individual consent, make sure consent has been granted for the desired scopes. The signature impersonation scope is the minimum required for JWT authentication, but other scopes may be necessary for Rooms or Admin functions.
- invalid_subject or user_not_found: Something is likely wrong with the sub (subject) value in the assertion. Confirm that the value is a valid GUID user ID (not an email address) of a user that is active in the relevant environment.
- Issuer_not_found: The integration key in the iss (issuer) parameter is unavailable in the current environment. This can also mean a mismatch in the aud (audience) value and the environment being hit: for example, using an aud value of account.docusign.com while requesting a token from https://account-d.docusign.com/oauth/token.
- no_valid_keys_or_signatures: This error covers several cases:
- There is an issue with the private key used to sign the assertion (for example, using a demo key in the production environment).
- The assertion is missing an exp (expiration) parameter
- The aud (audience) parameter is invalid - confirm the audience value is exactly account.docusign.com or account-d.docusign.com with no https:// prefix or trailing slash (/).
- An nbf (not valid before) parameter is defined, and that time has not been reached. The nbf parameter is optional and can be removed from the assertion, but if it is present, it must be a time in the past.
- expired_grant: The assertion has expired. The exp (Expiration) parameter must be a time in the future.
Why am I still getting "consent_required" after granting Administrative consent?
Admin consent requires a claimed email domain, and only applies consent to users with an email address in that domain. So in order to grant Admin consent to act as email@example.com, the domain example.com must be claimed in your organization, and signature impersonation scopes must be granted under the Applications tab of DocuSign Administration (not DocuSign eSignature Administration).
Once the domain claim is confirmed, there can be a delay of a few minutes before it is recognized by DocuSign. If the error persists after that, we recommend clearing your browser cache.
Why am I getting UserNotFound when I make an UserInfo call with a valid token?
This is due to a known issue: API - UserInfo call returns empty array for specific user. Note that, while that article refers to an empty UserInfo response, the UserNotFound / "The user is not found in DocuSign" response is due to the same underlying behavior and has the same solution. Please open a DocuSign Support case referencing that article and providing the relevant information.
Templates help streamline the sending process when you frequently send the same or similar documents, or send documents to the same group of people.
Why aren't my template roles matching?
For your template roles to match, the values that you supply for your routingOrder and roleName parameters must be identical to the role you're matching.
What are some of the possible behaviors and issues during template matching?
Scenario: Same role, different name
- The ONESIGN_ALLSIGN_NOTSATISFIED API fault is returned if Document Visibility is enabled for a DS account.
- If Document Visibility is not enabled for the account, the envelope will be sent with duplicate recipients to the same email. One has tabs, the other does not.
Scenario: Different role, same name or email
Error: Envelope contains duplicate recipients. This creates a new recipient with the same name, email, and signing order position as the original recipient. This often results in an error indicating the envelope contains duplicate recipients. In this situation, end users may see an error when working with tabs indicating that fields are out of sync.
How to create and prefill tab values on a template?
To supply a value for a tab on a template, you can supply the value alongside the tab's label within your tab definitions. See our setting template tab values code example.
Envelope Management allows you to create, send, locate, track & manage envelopes in your account.
Can the eSignature REST API override the account’s default reminders and expiration?
Yes. When you create an envelope with the API, you can set how many days after send to begin reminding recipients and how often thereafter. You can also set when the envelope will expire, and how many days prior to expiration to warn the recipient. You can find a detailed explanation and code examples in several languages using our SDKs on the DocuSign blog.
How can I avoid having my application throttled by DocuSign API rate limits?
DocuSign has default rate limits of 1,000 API calls per hour, API burst limits of 500 calls in 30 seconds, and polling rules stating that GET calls to the same envelope resource may not be made more than once every 15 minutes.
You can avoid rate limits by checking your API usage, using bulk operations, and refraining from requesting information more than once about envelopes in a terminal state (Completed, Voided, Declined). Instead of polling, we recommend using webhooks via DocuSign Connect. You do not need to change your firewall to use webhook notifications; see our blog post.