Trouble using JWT Application Token to generate envelopes and signing urls

[Atrus619]

I've been successful in generating access tokens using dsApiClient.requestJwtApplicationToken. However, the first issue that comes up is that in the response, the token_type is "Application", even though the documentation specifies that it should be "Bearer" (see: https://developers.docusign.com/orgadmin-api/guides/auth/application-auth)

Upon trying to use this access token, I instantiate a new docusign api client and add the access token to the header as follows:

const dsApiClient = new docusign.ApiClient()
dsApiClient.setBasePath(this.docuSignApiUrl)
dsApiClient.addDefaultHeader('Authorization', `Bearer ${this.accessToken}`)

Note that this strategy works perfectly well if I use the oauth token generator (using: https://developers.docusign.com/oauth-token-generator)

Upon using the access token generated automatically, I get an error of "Unauthorized" If I change the header to say "Application" instead of "Bearer", I get an error of "Invalid Request" (so I am assuming that is incorrect syntax).

If I instead use the requestJwtUserToken method along with a User API ID, then I get an error (upon requesting the access token) of "no consent granted".

How am I supposed to generate an access token programmatically for my backend server?

[acooper4960]

Hey @Atrus619

Regarding your issues: I would need more info on Upon using the access token generated automatically, I get an error of "Unauthorized" to get info on whats going wrong with this. I am unsure of the steps you chose during this authorization path.

However, it looks like you're almost there with your JWT auth. You just need to get consent. Can I direct you to our JWT guides? They will walk you through this process. https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken Step 1: Request Application Consent

Please feel free to comment here if that doesn't work for you.

[Atrus619]

@acooper4960 Thank you for the prompt reply! I apologize for the vagueness in the issue. I will be sure to clarify below:

1. I've been through the guides linked above. None of them seem to address the use case we are attempting to use DocuSign for in our application.
2. Our use case is the following: We would like to use the backend of our web app to create envelopes as well as signing links for these envelopes, without any human / manual intervention. This is doable using the oath token generator, but this token needs to be manually replaced every eight hours. We would like to be able to have a process in place that could essentially refresh this oauth token without needing to have a human log in and manually reset the token. As far as I can tell from reading through all kinds of the documentation available (as well as the source code), this doesn't seem to be doable. Do you know of a manner in which this can be done? If there is a way we can one-time grant consent for a single user, permanently, that could work. Is this more clear?
3. I think the issue above is that I was attempting to use the application auth, but apparently that only gives access to the admin API, which cannot be used to create envelopes as well as signing urls.

[acooper4960]

Hi @Atrus619 let me see if Ive got it straight here. You would like behavior similar to our automated tests. We run them all the time and they authenticate without human intervention and create envelopes amongst other things. The preferred authentication method for this type of use case is the JWT grant flow.

In order to grant consent, the user your JWT auth is impersonating must perform the manual step illustrated in Step 1: Request Application Consent by manually going to that url themself. Its a one time deal and then you should be ready to send as many envelopes as you like.

On the last question, the auth api is the authentication api we use for the entire platform, this is a reason we use oauth in the first place. The token it generates is valid for esign rest.

If you would like a reference, please feel free to check out how tests/SDKUnitTests.js uses JWT auth.

Does that help?

[Atrus619]

@acooper4960 This makes sense, thanks for pointing me to that file. Before I dive into testing this out, I just wanted to get clarification on a few things:

1. Is there an expiration on this auth token using this approach?
2. If there is, does the user need to consent every time this auth token is generated? If so, this will not work.

[acooper4960]

sure thing @Atrus619 yes theres an expiration, and no consent is a one time deal. Our automated tests surely wouldn't work if we needed to keep getting consent

[LarryKlugerDS]

Closing due to lack of recent comments. Please comment if there are still questions on this issue. Thank you.