Skip to content
English
Sign in
Go to www.contractsafe.com
  • There are no suggestions because the search field is empty.

Migrating from Legacy DocuSign Authentication to JWT Grant

DocuSign is retiring username/password authentication on March 31, 2026. If your organization uses a shared DocuSign account to send documents from ContractSafe, follow this guide to switch to JWT Grant authentication and keep your centralized workflow running without interruption.

⚠️ Deadline: March 31, 2026

After this date, stored DocuSign usernames and passwords will no longer work. Organizations that have not migrated will automatically fall back to individual user authentication. You can set up JWT Grant at any time — before or after the deadline — to restore centralized sending.

What's Changing and Why

DocuSign is discontinuing Basic Auth (username/password) authentication for all eSignature API integrations. This is a security upgrade on DocuSign's end — they are requiring all partners to use OAuth 2.0.

If your ContractSafe organization currently has a shared DocuSign username and password configured under Settings → Security & Integrations → DocuSign Settings, your integration uses the legacy method that is being retired.

Who Is Affected

This change affects your organization if both of the following are true:

  • Your ContractSafe account has a DocuSign Default User and DocuSign Default Password configured in organization settings.
  • You have not yet set up JWT Grant authentication (Integration Key, Service Account User UUID, and RSA Private Key).

If your organization is already using JWT Grant or if each user authenticates individually with their own DocuSign account, no action is needed.

Your Options

Option 1: JWT Grant (Recommended) Option 2: Individual User Auth
How it works A single service account authenticates on behalf of all users. ContractSafe handles authentication automatically in the background. Each user logs in to their own DocuSign account via an OAuth prompt the first time they send.
Where envelopes land All envelopes go to the service account's Drafts folder — centralized for the whole organization. Each user's envelopes go to their own personal Drafts folder.
User action required None. An admin completes a one-time setup and users continue sending as usual. Every user must complete an OAuth login before they can send.
Action needed Admin follows the setup steps below. No action. This is the automatic fallback after March 31.
💡 Already have a centralized workflow?

If your team currently relies on all envelopes landing in a single shared Drafts folder, Option 1 (JWT Grant) preserves that experience with no change for your end users.

How to Set Up JWT Grant Authentication

This is a one-time configuration performed by an administrator. You will need admin access to both ContractSafe and DocuSign.

Prerequisites

  • A ContractSafe account with administrator privileges
  • A DocuSign account with administrator privileges
  • Access to the DocuSign eSignature admin portal

Step 1: Create a DocuSign Integration App

  1. Log in to the DocuSign eSignature admin portal.
  2. In the left sidebar, go to Integrations → Apps and Keys.
  3. Click Add App and Integration Key.
  4. Give the app a name (e.g., ContractSafe Integration) and click Create App.
  5. Note the Integration Key (Client ID) — you will need this later.

Step 2: Generate an RSA Key Pair

Still on the app detail page:

  1. Scroll to the Authentication section.
  2. Under Service Integration (JWT Grant), click Generate RSA.
  3. DocuSign will display a private key and a public key — this is the only time the private key is shown.
  4. Copy or download the private key immediately and store it securely. It will look like:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

The public key is saved automatically in DocuSign. You do not need to store it separately.

Step 3: Create or Identify a Service Account User

This is the DocuSign account that ContractSafe will impersonate. All envelopes sent through the integration will appear in this user's Drafts folder.

If you already have an existing account you'd like to use (such as the account currently configured as your DocuSign Default User), skip to step 4.

  1. In the DocuSign admin portal, go to Users.
  2. Click Add User and create a dedicated service account:
    • Name: Something descriptive, e.g., ContractSafe Integration
    • Email: A real, accessible email address (e.g., docusign-integration@yourcompany.com) — DocuSign will send a verification email
    • Permission Profile: Assign at minimum the DocuSign Sender permission profile
  3. Complete email verification for the new user account.
  4. Note the service user's API Username (User ID / GUID):
    • Go to Users, find the service account, and click on it
    • Copy the User UUID

Step 4: Grant Consent for the Integration

The service user must explicitly grant your integration permission to impersonate it. There are two ways to do this:

Option A: Admin Consent (requires Org Admin / Access Management feature)

If your DocuSign account has the Access Management feature and has claimed your email domain:

  1. In the admin portal, go to Settings → Connected Apps.
  2. Find your app and grant admin consent for the signature and impersonation scopes on behalf of your domain users.
  3. No individual user action is required.

Option B: Individual Consent URL

If Org Admin is not available, construct a consent URL and have the service account user visit it while logged in to DocuSign:

https://account.docusign.com/oauth/auth
  ?response_type=code
  &scope=signature%20impersonation
  &client_id=YOUR_INTEGRATION_KEY
  &redirect_uri=https://www.docusign.com

Replace YOUR_INTEGRATION_KEY with the Integration Key from Step 1. The user clicks Allow Access and consent is recorded.

To verify consent was granted, log in as the service account user, go to Manage Profile → Connected Apps, and confirm your app appears there.

Step 5: Configure ContractSafe

  1. Log in to ContractSafe as an administrator.
  2. Navigate to Settings → Security & Integrations → DocuSign Settings.
  3. Enter the following values:
Field Value
Integration Key Your Integration Key (Client ID) from Step 1
Service Account User UUID The service account's API Username (GUID) from Step 3
RSA Private Key The full RSA private key from Step 2 (entire PEM block including the BEGIN and END lines)
DocuSign HMAC Key & Connect URL Leave unchanged if you already have a one-way integration configured. If setting up for the first time, see How to Integrate with DocuSign — Standard One-Way.
🔒 Security note

  • The RSA private key is stored encrypted in ContractSafe. It will never be viewable after you save it, and we will never ask you for it.

Step 6: Test the Integration

  1. Log in to ContractSafe as a non-admin user.
  2. Open a contract and use the Send to DocuSign action.
  3. Log in to the service account's DocuSign account at app.docusign.com.
  4. Navigate to Manage → Drafts. The envelope should appear here, centralized under the service account.
  5. Confirm the envelope can be sent from DocuSign as normal.

✅ Done!

Once you've verified the test, your migration is complete. Your users will continue to click "Send to DocuSign" exactly as before — no action is required on their part.

Optional: Individual User Override

Individual users can opt out of the organization-level JWT integration and route their sends through their own DocuSign account instead. When the override is enabled, ContractSafe will prompt that user to log in via OAuth, and their envelopes will land in their personal Drafts folder rather than the organization's service account.

This is configured per user in Personal Settings → Connections → DocuSign Settings.

What Happens If You Don't Migrate by March 31

If March 31 passes before you complete the JWT Grant setup:

  • The stored DocuSign username and password will stop working.
  • ContractSafe will automatically fall back to individual user OAuth authentication.
  • Each user will be prompted to log in with their own DocuSign account the next time they try to send a document.
  • Envelopes will go to each user's personal Drafts folder instead of a centralized location.

This is not permanent. You can complete the JWT Grant setup at any time after March 31 to restore the centralized workflow. Once configured, all users will immediately return to the shared service account experience.

Frequently Asked Questions

  1. Why is this change happening?

    1. DocuSign is requiring all API integrations to use OAuth 2.0 as a security upgrade. Username/password authentication is more vulnerable to phishing, brute-force attacks, and credential stuffing. This is a DocuSign-wide change, not specific to ContractSafe.

  2. Do all of my users need to do something?

    1. No. If you set up JWT Grant, only an administrator needs to complete the one-time configuration. Your users won't notice any difference — they'll continue clicking "Send to DocuSign" as usual.

  3. What if we want each user to use their own DocuSign account?

    1. Then you don't need to do anything. After March 31, individual OAuth kicks in automatically. Each user will be prompted to log in to DocuSign the first time they send, and their envelopes will go to their own Drafts folder.

  4. Can I use the same DocuSign account we've been using as the service account?

    1. Yes. The account currently configured as your DocuSign Default User can become your JWT service account. You'll just need its User UUID (GUID) from the DocuSign admin portal. See Step 3 above.

  5. Will the one-way integration (contracts flowing from DocuSign into ContractSafe) be affected?

    1. No. The one-way integration uses DocuSign Connect webhooks, which are not affected by this authentication change. Only the two-way "Send to DocuSign" feature uses the credentials being retired.

  6. I missed the deadline. Is it too late?

    1. Not at all. You can set up JWT Grant at any time. Once configured, centralized sending will be restored immediately. In the meantime, your users can send documents via individual OAuth.

  7. Where can I get help?

    1. Reach out to your Customer Success Manager or contact us at support@contractsafe.com. We're happy to walk you through the setup or schedule a call.