App Password required for new SOAP integrations
See how this requirement affects your existing eSignature SOAP API integrations as well as any new ones you may want to create.
As of April 21, 2022, Docusign has started blocking all new SOAP integrations from go-live using legacy authentication. As hackers continue to get smarter, our login security standard continues to evolve as well. Docusign’s legacy authentication and OAuth 1.0 do not meet current information security standards for SOAP and will no longer be supported for net new integrations.
Enforcement schedule
To enforce the new requirements, the automatic go-live process has been updated to require SOAP applications to use App Password authentication.
By October 2022, all Docusign customer, ISV, and partner SOAP API applications must use App Password. Applications already in production must be upgraded to use App Password by then.
Are there any exceptions?
Since this is needed for application security, we do not foresee any exceptions to the new policy. Our Developer Support and Professional Services groups are ready to help you. We also have an extensive set of App Password documentation that can be used.
Send-on-behalf-of
Account admins can also use an App Password to make SOBO calls, sending on behalf of an account user without getting their explicit permission.
I’m an ISV. I need new integration keys for SOAP APIs that don’t require App Password for my new customers.
If you’re a member of a Docusign partner program, please send an email to partners@docusign.com and we will work with you on this issue. At the same time, please plan now to update your application to use App Password for Docusign authentication per the schedule.
If you’re not yet a member of a Docusign partner program, please join us (no charge) via this form. Then contact us about your application’s integration keys. Docusign recommends that ISVs should use a single integration key for all of their customers whenever possible. See this document.
Do you have resources to help my developers upgrade to App Password?
Yes, see the following resources:
Developer Center App Password guidelines
App Password Release blog post
Legacy Auth Deprecation Project Overview Dev Center page
Additional resources
Sarah Zou is a Senior Platform PM at Docusign. Empowering users to protect their credentials and fighting identity stuffing attacks are her passions. Her work focuses on enabling customers to deploy Docusign in a way that matches their Identity Access Management strategy (i.e. SSO, OAuth, TFA, etc). You can find her on LinkedIn.
Related posts