stackoom
  简体   繁体   中英

DocuSign Recipient sign url expire

 原文  2020-06-18 10:47:24       docusignapi

Question

I need to add DocuSign to my chat app (iOS, Android, Windows) in order to ask to sign documents to all the chat group members.

I want to implement DocuSign signing flow without Server implementation: only Sender and Recipients client side implementation (is it possible?).

Flow that I imagined:

  • An authenticated Sender create the envelope with Envelopes: create REST call.
  • Other members must sign the document (no DocuSign account needed)...
  • ...so I need to generate a "recipient url" for every member using the REST call EnvelopeViews: createRecipient (who call this endpoint?)

I tested this flow with Postman and I've some questions:

  1. EnvelopeViews: createRecipient require X-DocuSign-Authentication header, so this request must be called from Sender side, is it?
  2. EnvelopeViews: createRecipient return an url that can be used once, why? The second time I use this url I get 404 as response.

So what I notice is the Recipient can't use the url (provided by the Sender) twice but he can't generate a new url every time because it isn't authenticated (no X-DocuSign-Authentication).

How can I implement this flow properly?

2 answers

solution1
 1  2020-06-18 19:36:53

Lots of good questions:

EnvelopeViews: createRecipient require X-DocuSign-Authentication header, so this request must be called from Sender side, is it?

  1. Do not use the X-DocuSign-Authentication header. That's "legacy authentication" and DocuSign does not support it for new REST eSignature apps. Instead, use OAuth. Probably the OAuth JWT grant flow since that flow enables your application to impersonate a DocuSign user (such as the sender), when the user is not present.

  2. You can call EnvelopeViews: createRecipient from your server or from your browser app. If you call from your browser then you'll need to implement a private CORS gateway.

  3. Either way, when the signer is ready to sign, you obtain the signing ceremony URL from the EnvelopeViews: createRecipient API call, then redirect the signer's browser to the URL.

EnvelopeViews: createRecipient return an url that can be used once, why?

For security reasons. That's part of our information security architecture. And not only is the signing ceremony URL only usable once, it is also time limited. It should be used within a minute or two from when you receive it from DocuSign. It will expire 5 minutes after it was created.

The second time I use this url I get 404 as response.

Yes, that's as designed. You get the URL, then you immediately redirect the signer to the URL. Then they sign. Then they're redirected back to your application.

If you want to provide a URL to a signer that the signer can use later on, you can implement that flow yourself. I've described how in other answers.

So what I notice is the Recipient can't use the url (provided by the Sender) twice but he can't generate a new url every time because it isn't authenticated (no X-DocuSign-Authentication).

How can I implement this flow properly?

You're almost there. Implement the JWT grant flow in your application. That way your app can impersonate the sender even when they're not around. When the signer wants to sign, your app gets the signing ceremony URL from DocuSign, and then redirects to enable signing.

An alternative which also works fine is for the sender to sign in to DocuSign by using the standard OAuth Authorization Code grant. This provides your app with an access token and a refresh token.

Your app enables the sender to send the enveloper by using the access token.

Later, when the signer wants to sign, your app uses the refresh token that it stored to generate a new access token. Use the access token with the EnvelopeViews: createRecipient API method to obtain the signing ceremony URL.

solution2
 0 ACCPTED  2020-06-18 19:30:12

  1. X-DocuSign-Authentication header is legacy authentication, please don't use this as it's not as secure as modern OAauth.
  2. Again, security. Every time you want someone to sign your code should generate the URL. Also, note you cannot generate two URLs. Only one is valid at a time. You need your app to have some logic to ensure that only one user is signing and only at that point in time the URL is generated.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question DocuSign template - multiple recipient roles sign on different sign tabs Unable to receive recipient view url of docusign Docusign recipient view url expires after 5 minutes Docusign: how to make envelope recipient to sign two documents at different times? One recipient complete after others can't sign in Docusign Docusign REST API Getting recipient URL for document envelope DocuSign: Get recipient view URl after creating sender envelope Docusign Recipient view URL bypass the ID verification step Docusign | Embedded Signing | How can sender share the “recipient signing URL” with recipient/signer? DocuSign for Salesforce: Recipient Sorting
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM