DocuSign API - JWT token generation - docusignapi

Regarding API call to DocuSign with JWT token,
Can I use my own private key to generate JWT token and share my public key to DocuSign to decode the JWT?
if so, what algorithm to use?

No, you cannot use your own Private Key. You have to use DocuSign provided private Key for JWT authentication.

We have no support in DocuSign JWT for using a customer's public/private keypair. In April, 2019, the product group examined the issue and decided that other feature requests are of higher priority.
If you would like us to look at the idea again, please ask your DocuSign sales person to refer to internal ticket ID-2188.

Related

Is it possible to add a HMAC key using Docusign REST API for use in Envelope level webhooks

I am able to create a CustomConfiguration using the Docusign Rest API. However, the HMAC keys are generated online using the admin account. Is there a REST API option to add one HMAC key to the users account for use in Envelope level eventNotification Webhooks? There is no option to specify a HMAC key while creating the document (as part of the eventNotification) which will then be used for validating the webhook.
No you cannot do an HMAC validation per-envelope (part of eventNotification). At this time the only way to use HMAC validation is using an account-wide Connect continuation and that does require administrative access.

what is jwks? what actully does jwks with refresh and access tokens?

i am working on an authentication system that has access and refresh tokens and JWT and JWKS. my problem is that i don't know what is the functionality of JWKS. what is the functionality of JWKS in a authentication system that is working with JWT and refresh token and access token? what are public and private keys in this system? does JWKS need to connect to database?
Do you mean JWKS or a JWKS endpoint?
JWKS is JSON Web Key Set - a JSON notation for sharing public keys which are used to verify the signature of a signed JWT.
JWKS endpoint is an endpoint exposed by the Authorization Server from which you can obtain a JWKS.
Whenever you need to work with a content of a JWT (e.g. so you have an API which receives the JWT and need to perform authorization decisions) you should verify the signature. In order to verify it you need a public key, which corresponds to the private key used by the Authorization Server to sign the JWT. This public key can be obtained in different ways (e.g. you can hard code it in your API) and getting it from a JWKS endpoint is one valid way. If you have an option of reading public keys from a JWKS endpoint I would recommend to use it - this simplifies greatly key management in your system. Whenever you need to rotate keys, you just change them in the Authorization Server. It's especially useful if you do not control the Authorization Server - then you don't have to worry about keys rotation at all.
You can have a look at the second part of this free course: OpenID Connect in Details (requires email registration). The JWKS topic is covered there.

Stripe SCA payments and secret key

I have a website that takes card payments using Stripe. Currently it uses the checkout API, but I am upgrading it to use the SCA API, and PaymentIntents.
I am concerned however that it appears that the PaymentIntents API requires you to present your secret key in order to create the session.
As I don't have my own servers, and am using hosted environments, I don't really want to place a secret key on these.
Indeed Stripe themselves say "Secret API keys should be kept confidential and only stored on your own servers. Your account’s secret API key can perform any API request to Stripe without restriction."
I have engaged with Stripe support, and they appear to be saying that yes, you can't use a restricted key, you have to use the secret key, but I don't like this!
Am I missing something, or going about it the wrong way? Has anyone got PaymentIntents working without the secret key?

DocuSign API integrator & private key, with multiple users

I am using the DocuSign API to authenticate, create, and send envelopes from within my application. This applications needs to allow multiple users to use their own DocuSign sign account with the application. For each DocuSign User that will use with this application, do I need to have a separate integrator key and private key? Or is there a better way? Requiring each user to setup an API key doesn't scale very well as a business workflow. I'm hoping there is a better way, so that I can setup an integrator key and private key once.
No you do not need to create a separate integrator key for each user! You only need one integrator key (also called clientId) per DocuSign integration. The key helps identify which integration the requests are coming from, though these requests can indeed be coming from different accounts.
Your integration simply needs to initiate the OAuth handshake based on which method you are using (Auth Code Grant, Implicit Grant, JWT Token) and while "under the hood" the request will contain your integrator key the end-user does not see that (or even know about it).
See the Authentication Overview for more info.
Once you make the initial auth request the user will be redirected to a browser where they will login through the standard DocuSign login page using their username and pwd. Upon successful login they will be redirected to the redirectUri that was supplied in the API request and the resulting URL will have a query parameter attached to it which has their auth code.
Again, read the overview above based on which method you are using, but as stated you only need ONE integrator key per integration which is a private ID that you should never share with the end-user.

Can an integrator key be used across multiple clients if they have their own account?

We are implementing embedded document creation for our SaaS product. Some of our clients will be using their own accounts and credentials. Others may not have a DocuSign account and so will be able to set one up through us. How does a client authorize us to use their account credentials?
For example, say we want to create an authorization token to store on behalf of one our clients (i.e. post to ~/v2/oauth2/token). Would we pass our account's integrator key, with the client's username and password in the headers?
You should think of the Integrator Key as an application specific key - it helps identify your integration so DocuSign knows which integration is creating which envelopes as well as how many envelopes (especially since there are per account per hour API call limits in place).
You only need one Integrator Key for any and all users using your integration, and yes you would authenticate your API calls by placing the IK along with a given user's username and password in the authorization header. As long as that user is passing valid credentials (ie valid username + pwd combo) then they can make the request under any Integrator Key).

Resources