CORS is here!
Cross-Origin Resource Sharing (CORS) is a modern web technology that enables developers and ISVs to create applications that run in the web browser and communicate directly with services such as the DocuSign eSignature REST API.
Web browser applications are often easier to create and faster to use, since no backend server is needed.
Example use cases
Browser-based DocuSign apps can be used to solve many use cases, including:
- Sending envelopes that include data from other applications or when the envelope is triggered by another application
- Looking up envelope information from DocuSign and displaying in the browser
- Managing DocuSign eSignature account information, including users, templates, folders, and more
- Enabling the logged-in user to sign envelopes
Tell me more!
Better Stack Overflow answers and test cases
How do I enable CORS for my application?
To maintain security, the client ID (integration key) must be configured with the website origins that will make CORS calls to DocuSign. Add the CORS configuration information to your client ID via the eSignature settings application, in the Apps and Keys page.
In addition, your access token must include both the
cors OAuth scopes. Finally, each eSignature account that will use your CORS application must allow CORS access. By default, CORS access is allowed.
Try out CORS now on CodePen
Today, you can try out CORS access via CodePen. Start with an example from DocuSign, then fork it (bottom right-hand section of the CodePen page). You can then build your new CORS app as a new application in your own CodePen account. It’s okay to use the DocuSign CodePen client ID (integration key) with your CodePen application. You will need to use your own CORS-enabled client ID for your application’s origin and for production.
How are the API calls authorized?
As usual, every API call must include an access token. To obtain an access token for a browser app, the Implicit Grant OAuth flow is used. The user logs in, and the resulting access token will last eight hours. Implicit Grant does not provide a refresh token. Implicit Grant does support single sign-on if it’s configured for the user.
Your application’s user must have a login for DocuSign. This means that CORS can only be used to enable recipients to sign an envelope if the signer has their own DocuSign login.
Interested? Try it out today!
CORS for the eSign REST API is available now for the development environment (demo.docusign.net). We plan for it to be generally available on the production environments in May 2023.
Want to learn more? Check out our Developer Webinar: Building a DocuSign Single-Page App with CORS | May 16 | 10am PT. REGISTER