DocuSign API: How to create an Envelope using Application Authentication?

0
votes

I've connected my app to DocuSign and have made the JWT, received my access token, and successfully made a request for user info (https://developers.docusign.com/docs/admin-api/admin101/application-auth/).

The primary purpose of connecting this app is to create envelopes.

The call for user info (as shown in the documentation linked above) has the URL: https://api-d.docusign.net/management/v2/organizations/{orgId}/[email protected].

The call for envelopes (calling get on this hits 'listStatusChanges' and calling a POST calls 'create') uses the following url: https://demo.docusign.net/restapi/v2.1/accounts/{accountId}/envelopes.

However, when I use my access token created above (which included the 'signature' scope') and use my 'API Account ID' as the accountId on the envelopes endpoint I receive the following error:

{ "errorCode": "AUTHORIZATION_INVALID_TOKEN", "message": "The access token provided is expired, revoked or malformed. Authentication for System Application failed." }

But after getting that error if I test my access_token by getting user info again, it works. So, despite requesting signature scope access, I can't use my access token on the signature endpoints. Is there another step to getting Application Authentication to work with signature endpoints? Am I using the wrong account id (my orgId and userId don't work either)?

1
docusignapi
did you add "impersonation" scope? that's mandatory for JWT - Inbar Gazit
So "impersonation" is mandatory for JWT's trying to access the "signature" scope? Or all scopes that aren't management related? - Jensen Rice
"impersonation" is required to use JWT period. JWT enables you to make API calls by just specifying a userId, without having that user log in. Hence - you always impersonate a user. - Inbar Gazit
Well, you don't need impersonation to use a jwt to get an accesss_token to use on the admin api since you don't impersonate users. You can see that in the first link in my post - "Unlike the JWT Grant, Application Authentication grants permissions directly to your app, rather than having your application impersonate (act on behalf of) a user. This eliminates the need to log a user in because the application is already authenticated." . I tried adding "impersonation" to the scope but still received the same error on a GET request to the 'listStatusChanges' endpoint. - Jensen Rice
listStatusChanges is not in the Admin API, but in the eSignature API. Note that to add the scope, you need to request consent again, so not sure you did that. - Inbar Gazit

1 Answers

4
votes

Application Tokens can't be used for the eSignature API. In order to create an envelope, you'll need to include a User ID in your JWT assertion so that DocuSign has a user to tie the envelope to.

If you don't want the envelope to be sent by a named user on the account, you may consider adding a generic "API User" to your account and have the integration act as them. Regardless, you'll need to obtain consent for your integration to act as whoever you've picked for this.

For an end-to-end look at how this can work using our client libraries, I'd echo Inbar's recommendation to check out the Quickstart project for whichever language you're working in: https://developers.docusign.com/docs/esign-rest-api/quickstart/