Docusign: Oauth Flow Outlined

Sign, Sealed, Delivered

In my most recent Ruby/React project I was tasked with getting a digital signature feature working. I researched a bit and found Docusign to be a highly recommended API for accomplishing signatures online. After a week I can honestly say its one of the more challenging API’s I’ve had to deal with. Here is a breakdown of how to get oauth working.

Step 1

The first thing you need to do is sign-up for a Docusign Developer Account. There are actually two types of accounts so make sure you are creating a Developer Account and not a standard one. Now you can create a demo project to get things working. You will need setup a project in order to use their API. Go to Apps and Keys in the settings Tab

Step 2 auth_code

The first step to actually hitting the API is to retrieve the auth_code. We will be making a GET request to this URL in this format (This flow is contingent on us using the ACG method of Authorization)

https://account-d.docusign.com/oauth/auth?
response_type=code

&scope=signature
&client_id="YOUR_INTEGRATION_KEY"
&redirect_uri="YOUR_REDIRECT_URI"

Step 3 access_token

The next step is to make a POST request to Docusign with the obtained auth_code.

"https://account-d.docusign.com/oauth/token"

Step 4 user’s_base_uri

The last step in our oath flow is to make an API call with the access_token we just got and a base URI unique to the user on whose behalf the application is making the API call. We will be a making a GET request to

https://account-d.docusign.com/oauth/userinfo
"Authorization: Bearer "YOUR_ACCESS_TOKEN"
https://developers.docusign.com/platform/auth/authcode/authcode-get-token/

Complex But Secure

At first I thought the flow for Docusign oauth was needlessly complicated. That was until I thought of how important security is for something requiring a digital signature. The extra steps are quite necessary when you think of how malicious things can get with forgery involved. Hopefully this will help you to understand Docusign’s oauth flow.