I was on this project and can speak a bit more on the technical details here.<p>A couple of high level goals:<p>1. We wanted to use their embedded flows, to keep the experience within our application as much as possible.<p>2. We wanted to avoid having to create a DS user for every user in our application that turned on this feature. We were looking for using 1 “API user” to make requests, handling data scoping ourselves within the application.<p>The actual issue in more detail:<p>1. Go to an embedded page, authenticated as the “API user” (which <i>looks</i> like you’re sandboxed within DS to the embedded page)<p>2. Refresh the page<p>3. You now can click around the entire account - viewing any data that belongs to the API user (in our case, all of the data).<p>At this point (as the OP called out), we realized we had no choice but to create DS users. But we still wanted to hide this process from our users, keeping DS as embedded as possible. The issue was their “regular” user creation flow involves a email going out to the user to confirm - obviously this is unideal if our goal was to wrap DS and hide it’s existence as much as possible from users.<p>DocuSign offered a workaround for this, which involved basically getting shifted to a legacy version of the API, with no hard promise of it <i>not</i> being sunsetted. By then, we had had such a poor experience with non-answers from their team that we called it quits.<p>I hope this clarifies some of the technical problems we were trying to solve for.<p>Edit - I'm sure DocuSign can solve for some use cases. Obviously, they have a large user base and I'm sure most of them are at least satisfied, if not happy. But if you're trying to wrap an e-sign provider within your application, I would recommend HelloSign 1000x. HelloSign's API is a first class citizen whereas DocuSign's felt more like an afterthought.
Maybe the goal here wasn't to be technical (although I'm not sure why given it's an article about docusign api integration) but this is a WHOOOOOLE lot of text with basically nothing worth reading.<p>>I was annoyed that they didn’t provide a secret key to authorize API requests<p>Yeah... they don't do that for a reason. They appear to support a fully fledged OAuth implementation (<a href="https://developers.docusign.com/esign-rest-api/guides/" rel="nofollow">https://developers.docusign.com/esign-rest-api/guides/</a>). I haven't used it, so maybe it's terrible, but I'm suspicious of the author at this point.<p>>DocuSign API docs are very quirky<p>But no discussion of why, or what he would expect instead. This actually sounds like the author is lost because they don't understand OAuth again (and to be fair, I've implemented OAuth and it's easy to get wrong).<p>>Someone on the team noticed that if you refresh the page, you get logged in as the user that was making the API request. [...] About a week later, we were informed that this is intentional, and they were worried about breaking anyone that is using this as a feature.<p>This honestly sounds like they were politely telling you that you haven't implemented OAuth correctly. You should be making the request with the token of the delegated user, not a generic account.<p>>I got this working, but it took some janky work to re-work the JWT flow to manage hourly expiring tokens for all of our user that choose to enable the esignature feature.<p>This is what refresh tokens are for. I highly doubt the refresh token expired in an hour, but hey - I haven't used it so maybe I'm wrong.<p>---<p>I honestly believe I can summarize this whole article as: Dev takes first steps into OAuth and gets lost...
I had a project that used docuSign a few years ago. There were some very strange things going on with their API.<p>I remember having to call them asking where to find a template ID so I could save that and send out the proper doc to customers. It was not listed anywhere on the developer dashboard. The rep told me in a very condescending way that it template ID was part of the URL. I should have known to just use that!<p>My app was written in a python backend. They had a some API examples in different languages for their docs. The python example was a total embarrassment. It was clear that the person who wrote it had no experience with python at all. I am not trying to be mean, it was that bad. Every line ended with a semicolon (in python this is not an error, but is officially discouraged). The person also seemed to not be aware of a dictionary. They built their json paylod by concatenating text. It was the messiest python code I had ever seen. I think this particular bit of code is gone now, but it was incredible.<p>I felt so bad that I emailed them some suggested fixes and asked if they had python experience. They responded with a something along the lines of ya, we had the java guy do that. But the code stayed up there for a long time...
I've done a docusign implementation, and I don't really agree with them. Their API is fine honestly, I think their documentation could be better and some things are named awkwardly. But the implementation really isn't hard, my only real complaint is that when we did it they pushes the DocuSign connect service really hard, which honestly was kind of a waste and didn't live up to many of their promises, but that's normal b2b upselling. It's a normal API, and definitely not as bad as this person makes it seem.
I am DocuSign’s Lead Developer Evangelist.
Thanks to Joseph (OP) for writing this up and to everyone who has contributed to this thread including both the positive and negative comments about integrating with DocuSign.<p>The problem OP ran into is really one of documentation and not a bug or security issue.<p>I agree that our docs for the embedded sender view should clearly state that the method’s URL gives full access to the sender’s account, and we’ll fix that ASAP. As others have commented, the assumption of this API method is that each sender has their own account. I also agree that the OP’s use case, which requires that the sender view’s capabilities be strictly limited to the current envelope, is valid. It is under consideration for our roadmap.<p>A workaround: I recommend that API applications complete the sending process programmatically including document tagging, etc. This also provides the best user experience for the sender.<p>We actively monitor and reply to the “docusignapi” tag on StackOverflow (I’m “Larry K”), if you want to reach out to us there.
Looking at the API description (very detailed BTW) <a href="https://developers.docusign.com/esign-rest-api/guides/authentication/oauth2-jsonwebtoken" rel="nofollow">https://developers.docusign.com/esign-rest-api/guides/authen...</a> , it does look like they used a wrong flow for the use-case, and then invented some shortcuts to make it work (which understandably did not work out well).<p>It does look like onboarding failure, but there is so much you can do to steer the customers towards the right path. I am not completely convinced that this was Docusign's fault.
FWIW, I've developed a lot of this sort of tool. For some reason, Adobe E-sign services (formerly known as EchoSign) rarely comes up, but it's actually quite good and cost-effective to develop with.<p>Docusign is indeed pretty terrible as an API, but it does have the benefit that users have heard of it so it has a certain institutional credibility - which is usually important if you're developing the sort of app that needs an e-signature process. On that front, all of our clients were very comfortable with Adobe as a secure service provider - it was something we publicized, in fact.<p>I've played a bit with Hellosign. While I've heard they have a nice API, they don't have the institutional credibility that Docusign and EchoSign have. Also, their pricing was way, way higher than EchoSign's, in my experience. I'd love to learn more about them, though.
Advice: Skip straight to the situation paragraph as anything before that isn't about the DocuSign integration, not sure what the first section brings to the whole article.
The author seems to have buried the lead here:
"Someone on the team noticed that if you refresh the page, you get logged in as the user that was making the API request"<p>And that is how the implementation works for many of Docusign's customers as a 'feature'. If that's true, that would seem like a potentially exploitable security hole. However, I'd have to question if that had something to do with the particular implementation, otherwise I'd expect more focus on the security repercussions.
We just completed an embedded signature integration with HelloSign. The HelloSign API plans were expensive - but still a fraction of what DocuSign charged (at the time HS was 20% as expensive - pricing seems to have gotten more comparable now).<p>Integration was easy. The Ruby SDK & JS lib worked great (we have Rails back-end / React front-end). Customer service has been good & responsive. They have to approve your UI before giving live access - but once we had the integration working it took < 1 day to schedule the meeting, do the screenshare, and get approved.<p>Two slightly annoying things: (1) they don't have per-request fees if you go over your allotted usage. You'll get automatically bumped to the next plan which gives you 3x the request and is almost twice as expensive. (2) they wouldn't let us go month-to-month since we had an existing annual plan that we wanted to be under the same account (so we can share templates). This is tough since it's difficult for us to predict how many requests we'll need.
Just use HelloSign. Their developer support is the best I've had from an API company - you email them and you get support from an actual developer - and they smartly do things to save everyone trouble like creating an API debug console so you can see what they receive on their end. I wish all of our API partners followed their lead.<p>The best thing I can say about Docusign is that it is way, way better than Adobe Sign's absolute garbage support. The Adobe software may work but if you have the slightest problem with the API you will be in support hell.
All those online signatures "click to sign" services are useless anyway, they have absolutely no legal value anywhere (their EIDAS/ETSI whatever are just buzzwords), even in France from where docusign is coming.<p><a href="https://www.cryptomathic.com/news-events/blog/us-court-rejects-docusign-e-signatures-as-method-to-provide-digital-authorization" rel="nofollow">https://www.cryptomathic.com/news-events/blog/us-court-rejec...</a>
We tried something similar years ago with DocuSign, and needed the ability to sign in person with two different people, one acting as a witness, with a potential third person being remote via email. It was not supported at all. Built our own internal system to handle esignatures, worked great, never looked back.
The article was a bit meandering (bit of a bildungsroman), but good to know to avoid docusign apis. Might have been able to find out how much it sucked just by googling more "docusign alternatives" or "docusign api sucks" =D
When we tried to bring docusign on board back in 2015-2016, it didn't feel like a very robust product in terms of user accounts management.<p>They had a legacy instance and a v2 instance (w/ new UI). Enterprise integration was against the legacy instance. Accounts created in one instance does not carry over to the new instance. User who self registered in new instance some how makes authentication into the legacy instance very difficult.<p>As a user with admin access to docusign, there were a paltry of user management features. I had to delete individual users. No way to filter or batch any user oriented actions.
We rolled our own bc out of box solutions were crazy expensive. Any one else do this? I'm kind of surprised how much people are willing to pay for something that is not that hard to build. You can't build your own twilio or Google maps but Hou absolutely can build your own signature feature.
I've been working a lot on a project recently with a fair bit of Docusign integration.<p>Some notes:<p>* Their API documentation really is garbage. If you're signed in to your developer account, you get access to marginally better documentation. This makes it hard to abuse Google to find things you're looking for. Specifically, the documentation is incomplete and difficult to navigate, largely because they appear to have relied on Swagger to generate the whole mess.<p>* Their support sucks, and exists mostly to try to get you to pay for their team to write code for you to interact with their code, rather than fixing their documentation.<p>* The API has some warts. I wouldn't care about the warts so much if the documentation compensated for it, but it doesn't, so I've burned lots and lots (and lots) of hours trying to figure out the weird bits. For example:<p>> You specify the difference between an "embedded" and "remote" recipient by setting a clientUserId attribute;<p>> But, if you specify both a clientUserId and a client name attribute, then the API call to createRecipientView will probably return a "User not found" error (see for example <a href="https://stackoverflow.com/questions/20500630/unknown-envelope-recipient-but-the-recipients-actually-do-match);" rel="nofollow">https://stackoverflow.com/questions/20500630/unknown-envelop...</a><p>> You send an envelope not with an API call like sendEnvelope, but by setting the envelope status to "sent";<p>> Exceptions thrown during the authentication process by default set the Exception's error message to "Error connecting to the API...". Guess how much fun that was to debug?<p>* And their library for PHP is really a steaming pile. It's just a wrapper around curl, auto-generated by Swagger. It pretty much demands a wrapper around their library to be able to work with it effectively and compensate for all the warty bits.<p>I haven't quite got to the point of <i>hating</i> Docusign, but I don't love them, and wouldn't recommend them to other developers. I did find HelloSign early on in this project, and their API documentation (<a href="https://app.hellosign.com/api/documentation" rel="nofollow">https://app.hellosign.com/api/documentation</a>) is everything that I wish Docusign's was, and they clearly make a much greater effort to be attractive to developers.<p>I'd love to link some of the Docusign support articles and such I've filed under my "docusign_sucks" tag, but you need to be signed in to your Docusign developer account to view them...
> we’ve tried to build as much as we can as to skip dependencies, I’ve spent enough time in rails to appreciate debugging owned code - an argument for another time...<p>Okay, I'll bite. I have no experience in RoR, but does this line suggest that RoR <i>encourages</i> NIH?<p>This line feels like that scene in a horror movie, right at the beginning, when the camera lingers a little too long on the janitor's face as he cracks a smile that's wider than it should be.<p>Red flags:<p>* NIH (mentioned above)<p>* Using Go in production (more specifically, complaining about the lack of support for Go in production -- you should have known what you were getting into)<p>* Announcing a hacked-together MVP to the whole company<p>* Escalated to a VP for a technical issue<p>* Not using the company's recommended workflow, instead building your own<p>There's no way that the inability for the author to deploy DocuSign, an API that hundreds of companies successfully use, is on DocuSign.<p>Also, an maybe this is just a cynical view, but when you start your cautionary tale with a literal, "It all started when I was 11", it's kind of hard to relate.