Introducing OAuth for Partners for DocuSign Connect
DocuSign offers five different mechanisms to authenticate DocuSign Connect event messages; that is, to make sure that messages are coming only from DocuSign and not from someone else.
- OAuth authentication
- HMAC message signing and authentication
- HTTP Basic authentication
- Mutual TLS authentication
- Digital signature (SOAP only, deprecated)
OAuth for DocuSign Connect allows administrators to grant scope-based access to resources to DocuSign Connect while ensuring integrity and authenticity. DocuSign Connect specifically uses the Client Credentials authentication grant type, which is a server-to-server communication protocol. For an example of how to set up an Authorization Server on Azure, how to obtain an access token, and then how the access token is being supplied in the Connect event message, see Andy Singh’s From the Trenches blog post.
We are excited to announce a new addition to OAuth for DocuSign Connect. This feature lets partners and integrators use their OAuth settings for their clients’ event messages. This will enable integrators and partners to manage Connect security for their clients in a more streamlined way. Here’s how the authentication flow for this new Connect security option works:
OAuth for Connect must be set up for the account where the integration key is located. This would be the partner’s or integrator’s account. You can then set the integratorManaged parameter to true while creating the Connect configuration on the Client’s account. Connect will then use the partner’s or integrator’s OAuth credentials while sending event notifications. You can use this parameter for account-level and envelope-level configurations.
This functionality is only supported in the API. It is available to all Demo and Production environments.
A sample payload for what the integratorManaged parameter looks like is below:
{
"configurationType": "custom",
"urlToPublishTo":"Your Webhook URL",
"allUsers": "true",
"name": "Your configuration name",
"allowEnvelopePublish": "true",
"enableLog": "true",
"includeOauth":"true",
"integratorManaged": "true",
"deliveryMode": "SIM",
"events": [
"envelope-completed"
],
"eventData": {
"version": "restv2.1",
"includeData": [
"tabs",
"payment_tabs",
"custom_fields",
"powerform",
"recipients",
"folders",
"extensions",
"attachments",
"prefill_tabs",
"document_fields"
]
},
"requiresAcknowledgement": "true"
}
We recommend testing this out in your demo account to ensure everything works as expected.
