Legacy Header Authentication is the earliest
authentication protocol in the DocuSign platform.
You may see it used in many examples.
This authentication flow
is recommended only for
It is not recommended for
for user applications.
Since it requires handling of
legacy header authentication
may not be appropriate for all applications.
If you application requires a user to log in,
we recommend using the
authentication code flow
With Legacy Header Authentication
you provide your account credentials
in every request
You can provide your credentials
as a JSON object
or as an XML object.
In both cases
the object contains
- The email address of your developer account.
- The account’s password.
- Your integrator key.
The JSON object looks like this:
"IntegratorKey":"your integrator key"
In JSON strings,
\ is interpreted
as an escape character.
If your password contains
a backslash, be sure to escape it
with another backslash.
if your password is
you would need to write it as
"Secret\\Password" in the JSON object.
See the JSON website for more information.
The XML object looks like this:
<IntegratorKey>your integrator key</IntegratorKey>
Get Your Base URL
Your first call to the DocuSign REST API
is to the
to obtain the user’s account and
You’ll use the baseURL to make more requests.
$ curl -i -H 'X-DocuSign-Authentication:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Thu, 02 Jun 2016 02:36:58 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
"name": "Dev Eloper",
"userName": "Dev Eloper",
The result contains information about your account.
The most useful value to you right now
This is the URL that you’ll use
for all your requests.
In the production environment
baseUrl will contain the address
of an production server.
Although the endpoint has “login” in its name,
it does not actually log you in to the DocuSign platform.
(The API is sessionless.)
Rather, it provides information about the user’s accounts and their baseUrls for use in subsequent requests.
As a side-effect of making the API request, if your authentication header does not include valid information,
(such as an incorrect password), the call will be rejected.