Authorization

Follow this guide to create a new DocuSign eSignature credential that will allow Nexla to authenticate to and exchange data with your DocuSign eSignature account.

DocuSign eSignature

Prerequisites

To connect Nexla to DocuSign eSignature, you need an active DocuSign account with API access and the appropriate credentials for your chosen authentication method. DocuSign supports three authentication approaches: API Key (Bearer Token), OAuth2 Authorization Code Grant, and JWT Grant for server-to-server integrations.

DocuSign Account

Before obtaining credentials, ensure you have access to a DocuSign account:

• For development and testing, sign up for a free DocuSign Developer account at developers.docusign.com. The developer sandbox environment (account-d.docusign.com) provides a safe environment to build and test integrations without affecting production data.

• For production use, log in to your DocuSign production account at account.docusign.com. You will need Admin access to create integration keys and manage API credentials.

Create an Integration Key (Required for OAuth2 and JWT)

An Integration Key (also called a Client ID) is a unique identifier that represents your application in DocuSign. It is required for both the OAuth2 Authorization Code Grant and JWT Grant authentication methods.

1. Log in to your DocuSign account and navigate to Settings in the top navigation bar.

2. Under the Integrations section in the left-hand sidebar, click Apps and Keys.

3. Click the ADD APP & INTEGRATION KEY button.

4. Enter a descriptive name for your application (e.g., "Nexla Integration") and click ADD. DocuSign automatically generates a 32-character Integration Key (GUID) for your application.

5. Copy and securely store the Integration Key — this value is your Client ID, required for both OAuth2 and JWT authentication.

Obtain a Secret Key (Required for OAuth2 Only)

If using the OAuth2 Authorization Code Grant method, you also need a Client Secret associated with your Integration Key:

1. On the Apps and Keys page, click ACTIONS next to your Integration Key and select Edit.

2. Under the Authentication section, click ADD SECRET KEY.

3. Copy the generated secret key immediately and store it securely. DocuSign displays this key only once — it cannot be retrieved later from the DocuSign interface.

Important

Store your Client Secret in a secure location immediately after generation. If you lose the secret key, you will need to generate a new one, which will invalidate the previous secret.

Generate an RSA Key Pair (Required for JWT Only)

If using the JWT Grant authentication method for automated server-to-server integrations:

1. On the Apps and Keys page, click ACTIONS next to your Integration Key and select Edit.

2. Under the Authentication section, click ADD RSA KEYPAIR. DocuSign generates a public/private RSA key pair.

3. Download or copy the private key (in PEM format, beginning with -----BEGIN RSA PRIVATE KEY-----) and store it in a secure location. The private key is shown only once and cannot be retrieved from DocuSign after closing this dialog.

4. The corresponding public key is automatically saved and associated with your integration in DocuSign.

Find Your User ID (Required for JWT Only)

The User ID is the GUID of the DocuSign user that the JWT integration will act on behalf of:

1. On the Apps and Keys page, your API Username (User ID) is displayed in the My Account Information section at the top of the page.

2. Copy this value — it is a 32-character GUID (for example, 12345678-abcd-1234-abcd-123456789012).

Grant Consent for JWT (Required for JWT Only)

Before a JWT integration can access the DocuSign API on behalf of a user, that user must explicitly grant consent to the integration. This is a one-time step per user per integration.

1. Construct a consent URL using the format below, replacing {integration_key} with your Integration Key value and {redirect_uri} with a valid redirect URI registered for your integration:

   https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id={integration_key}&redirect_uri={redirect_uri}

   For production accounts, replace account-d.docusign.com with account.docusign.com.

2. Open the URL in a browser, log in with the DocuSign user account that will be impersonated, and click Accept to grant consent.

Consent must be granted once per user per integration. After consent is granted, the JWT flow can obtain access tokens programmatically without further user interaction, making it ideal for automated batch processing and server-to-server workflows.

Determine Your DocuSign Environment

DocuSign operates separate environments for development/testing and production. When configuring your credential in Nexla, you will need to specify the correct base URL for your environment:

• Demo (Sandbox): account-d.docusign.com — for development and testing (OAuth2 and JWT)
• Production (US): account.docusign.com — for live US production use (OAuth2 and JWT)
• Production (EU): account.docusign.eu — for EU-region production accounts (OAuth2 and JWT)

For the API Key (Bearer Token) method, the environment field expects the API host URL (e.g., demo.docusign.net or na2.docusign.net). Your account's API host URL is listed under Settings > Apps and Keys > Account Base URI in your DocuSign account.

---

Create a DocuSign eSignature Credential

• To create a new DocuSign eSignature credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

Credential Name & Description

1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

   Resource descriptions are recommended but are not required. They should be used to provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

Authentication Method

DocuSign eSignature supports three authentication methods in Nexla. Select the method that best fits your integration scenario and follow the corresponding steps below.

DocuSign eSignature Authentication Methods

API Key (Bearer Token)

Authenticate using a pre-obtained OAuth2 access token passed as a Bearer token in the Authorization header. This method is useful when you already have a valid access token obtained through DocuSign's OAuth2 or JWT flow outside of Nexla. Note that DocuSign access tokens expire after 8 hours, so periodic token rotation is required.

1. Enter your DocuSign OAuth2 access token in the **API Key Value** field. This Bearer token is obtained from DocuSign's OAuth2 authorization flow or JWT assertion grant and is passed in the `Authorization: Bearer {token}` request header for all API calls.
2. Enter the API host URL for your DocuSign account environment in the **DocuSign Environment** field. This is the hostname used in API requests—for example, `demo.docusign.net` for sandbox, or your account's assigned production host (such as `na2.docusign.net` or `eu.docusign.net`). Your account's base URI is displayed under **Settings > Apps and Keys > Account Base URI** in your DocuSign account.

OAuth2 (Authorization Code Grant)

Authenticate using DocuSign's OAuth2 Authorization Code Grant flow. This is the recommended method for user-present integrations. Nexla handles the OAuth2 redirect flow to obtain and automatically refresh access tokens. The DocuSign OAuth2 flow requests the `signature` and `impersonation` scopes. Before configuring this method, complete the Integration Key and Secret Key steps in the Prerequisites section above.

1. Select your DocuSign environment from the **DocuSign Environment** dropdown: **Demo (Sandbox)** (`account-d.docusign.com`) for development and testing, **Production (US)** (`account.docusign.com`) for US production accounts, or **Production (EU)** (`account.docusign.eu`) for EU-region production accounts.
2. Enter your Integration Key in the **Integration Key (Client ID)** field. This is the 32-character GUID generated when you created your app on the DocuSign **Apps and Keys** page (**Settings > Integrations > Apps and Keys**).
3. Enter the Client Secret associated with your Integration Key in the **Client Secret** field. This value was generated when you added a secret key to your integration on the **Apps and Keys** page. Store this value securely, as it grants API access to your DocuSign integration.

JWT Grant (Service Integration)

Authenticate using DocuSign's JWT Grant flow for automated server-to-server integrations that operate without user interaction. This method uses an RSA private key to sign a JWT assertion, which DocuSign exchanges for an access token. It is best suited for automated batch processing and workflow automation. Before using this method, complete the RSA Key Pair generation, User ID, and Consent steps in the Prerequisites section above.

1. Select your DocuSign environment from the **DocuSign Environment** dropdown: **Demo (Sandbox)** (`account-d.docusign.com`) for development and testing, **Production (US)** (`account.docusign.com`) for US production accounts, or **Production (EU)** (`account.docusign.eu`) for EU-region production accounts.
2. Enter your Integration Key in the **Integration Key (Client ID)** field. This is the 32-character GUID from the DocuSign **Apps and Keys** page. The Integration Key is used as the JWT `iss` (issuer) claim when generating the token assertion.
3. Enter the User ID of the DocuSign user to be impersonated in the **User ID (API Username)** field. This is the 32-character GUID displayed in the **My Account Information** section of the **Apps and Keys** page. The User ID is used as the JWT `sub` (subject) claim.
4. Paste your RSA private key in PEM format in the **RSA Private Key** field. This is the private key generated when you added an RSA Keypair to your integration on the DocuSign **Apps and Keys** page. The key should begin with `-----BEGIN RSA PRIVATE KEY-----` and end with `-----END RSA PRIVATE KEY-----`. This key is the primary secret for this authentication method — store it securely and never share it.

Save the Credential

1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.