Blog
Home/

Blog series: Building a CLM–Power Automate custom connector: Building a connector

Author Marty Scholes
Marty ScholesManager, ISV Partner Solution Architects
Summary11 min read

In part 3 of his series, Marty Scholes walks you through the process of creating a custom Power Automate connector to Docusign CLM.

    • Introduction
    • Overview of custom connectors
      • Build the connection
            • Heartbeat
            • Conclusion
              • Additional resources

              Table of contents

              This is it: the moment you have been waiting for. By the end of this post, you will have built a safe and reliable Power Automate custom connector that you can take into the real world and start using immediately to interact with CLM through Power Automate flows.

              Introduction

              As noted in my previous post, Power Automate custom connectors do not support the Docusign JWT Grant flow, and the Docusign Authorization Code Grant flow requires regular reauthorization by the user. This post will provide solutions to overcome those limitations.

              First, let’s discuss Power Automate custom connectors.

              Overview of custom connectors

              Power Automate custom connectors provide a simplified facility for interacting with other systems using Power Automate flows. By providing some parameters during the connector definition, you can make the connector immediately available for use.

              Integration type

              The Authorization Code Grant flow works reasonably well for per-user integrations with Power Automate, but system-wide JWT integrations do not have native Power Automate support. You are going to build a connector that will work for a system-wide integration, using Authorization Code Grant flow, but with a twist. Before starting, make sure that you have created an integration key as detailed in the Docusign eSignature Admin Guide: Apps and Keys.

              When you create the integration key, you will need to assign the redirect URI, but you do not have that defined yet. Use a placeholder, such as “https://localhost” for now. Securely store the following information somewhere because you will not have the chance to retrieve this information after the integration key is created:

              • RSA private key

              • Secret key

              Make sure that you have an integration user defined. For this blog post, you can use your own user ID, but for a real deployment, a dedicated integration user should be defined. Make sure that the user has granted consent to the integration key, as outlined in our blog post OAuth JWT: Granting Consent.

              For the consent grant, make sure you use the scope defined in the Security section below.

              Build the connection

              When building a Power Automate custom connector for Docusign CLM, be aware that Power Automate custom connectors assume a single host for all calls through the connector. This means that the three different hosts for CLM API calls—general, upload, and download—will each need their own custom connector.

              Creating a custom connector involves the following steps.

              • Start

              • General

              • Security

              • Definition

              • Code (Preview)

              • Test

              Start

              To get started, log into Power Automate. On the left menu, select Data > Custom connectors.

              On the left menu, select Data > Custom connectors

              In the upper right corner, select the option + New custom connector to see the below dropdown list of options.

              Select the option + New custom connector

              There are several approaches to defining the API calls used in the connector. If you have a Postman collection for CLM, you might try to import it, but my experience is that the import process creates more problems than it solves. Instead, select Create from blank to see the dialog box asking for a connector name. In the example below, I named the connector “Blog Test ACG.”

              Select Continue to see the General tab.

              General

              The General tab collects general information about the custom connector. Here you can customize the image and colors of the connector and give it a description. Choose the default scheme of HTTPS. For the host, recall that three hosts are used for CLM API calls. The three hosts are listed in the Base URLs API call. In my development environment, the three hosts are:

              The first URL is used for most operations. The download and upload URLs are used for downloading and uploading document content. For this example, you are going to use the general URL: the first one. Perform the Base URL API call above to identify the base URLs for your environment. From the API response, identify the URL corresponding to ApiBaseUrl and place the hostname into the Host field. Do not include the leading “https://” portion of the URL. The final field, labeled Base URL, contains the path prefix for API requests. Leave the default slash. An example of the definition is in the image below.

              Next, move to the Security tab.

              Security

              The Security tab defines which authentication mechanism the custom connector will use. Authorization Code Grant is the only mechanism Docusign and Power Automate have in common, so you will use it. Select the authentication type of OAuth 2.0.

              The OAuth 2.0 form takes several parameters as shown in the image below:

              • Identity Provider

              • Client id

              • Client secret

              • Authorization URL

              • Token URL

              • Refresh URL

              • Scope

              • Redirect URL

              Identity Provider

              The Identify Provider parameter enables shortcuts for common identity providers. Docusign is not on the list, so select Generic Oauth 2.

              Client id

              The Client id is the GUID of the integration key you defined in Docusign.

              Client secret

              The Client secret is the Secret Key you recorded when you defined the integration key in Docusign.

              Authorization URL

              The Authorization URL varies between production and demo, as detailed in the below page:

              https://developers.docusign.com/platform/auth/authcode/authcode-get-token/

              For Demo accounts: https://account-d.docusign.com

              For Production accounts: https://account.docusign.com

              Token URL

              The Token URL is the Authorization URL with additional path components of /oauth/token.

              For Demo accounts: https://account-d.docusign.com/oauth/token

              For Production accounts: https://account.docusign.com/oauth/token

              Refresh URL

              The Refresh URL is the same as the Token URL.

              For Demo accounts: https://account-d.docusign.com/oauth/token

              For Production accounts: https://account.docusign.com/oauth/token

              Scope

              Scope controls what capabilities the user consents granting to the integration. A complete list is here:

              https://developers.docusign.com/platform/auth/reference/scopes/

              For testing purposes, use the following scope, which is too permissive for a real application, but allows for many operations in testing:

              impersonation signature spring_read spring_write organization_read user_read account_product_read content extended

              Scope is a single string of scope names, separated by spaces. The above scope has nine scope names listed. All are important, but the final scope name, “extended”, is critical for this connector to continue to work unattended.

              Note: The scope you enter here must correlate to the scope used for the user consent grant above. In particular, the user consent grant must have at least the scope names used in the integration. If the integration attempts to authenticate with a scope name for which the user did not grant consent, then the integration will not be able to authenticate with Docusign. If you need the user to grant more scope names, simply perform the consent grant again with the complete list of scope names.

              Redirect URL

              The Redirect URL is defined for you, but must be added to the integration key information in Docusign. Copy the Redirect URL, and then add that to the integration key redirect URI in Docusign.

              Next, move to the Definition tab.

              Definition

              You will define the API calls in the Definition tab. For each API call you use, the first step is to add a new action by selecting + New action as shown in the image below.

              Fill out the form to specify the API call you’re using in this action. For now, fill in the fields as shown in the image below to define an API call that will list all attribute groups. You’ll need to repeat this process for each API call you use in your connector.

              The next step is to define the request. Defining the request for CLM API calls is a little unusual because the API request path contains parameters. Select + Import from sample as shown below.

              Complete the form as shown below. The HTTP verb is GET. Other CLM API requests use POST, PUT, or PATCH. The URL is the URL of the API call, and the host portion must match the host defined above. Note that the path contains “{AccountId}”, telling Power Automate that the path of the request contains a parameter named AccountId. Leave the Headers section blank then select Import.

              You have defined an action that should look like the image below. Note that AccountId was recognized and identified as a parameter.

              You have defined the first API request. Continue to Code (Preview)

              Code (Preview)

              For our purposes, this tab is unnecessary. Continue to Test.

              Test

              This is where you can test your connector and action. Before testing, select Create Connector to define it within Power Automate. If you test the connector, it will fail, even if it is working correctly. It is unclear why Power Automate CLM connector tests fail, but you can test it by creating a flow.

              Select Update Connector to persist any changes, and then select My flows on the left navigation pane. Select + New Flow up top, and then select Instant cloud flow as shown below.

              Give your flow a name and select Manually trigger a flow, as shown in the image below. Select Create.

              You should see the flow designer with an empty flow, as shown below.

              Select + New Step to see the Choose an operation dialog box, as shown below. Select the Custom tab to see your custom connectors. I have three listed.

              Select the name of your connector to see the action that you defined above.

              Select GetAllAttributeGroups to be prompted to sign in to Docusign.

              Select Sign in to authenticate with Docusign. When you’re authenticated, the step will prompt for an Account ID.

              Populate this with your Account ID GUID, and then select Save. After the flow is saved, select Test in the upper right corner to see the testing options

              Since the only option is Manually, select that, and then select Test. Power Automate will display the connection information to confirm that this is the connection you intend to use.

              Select Continue. A confirmation dialog will confirm that the test has been started.

              Select the link for Flow Runs Page to see the run history.

              You can see that the test succeeded. Select the Start time to see the run summary.

              Despite the test failing in the custom connector definition, it worked here. To see the information retrieved by the API request, select GetAllAttributeGroups. The flow step will expand to show the inputs and outputs. You can confirm that the outputs list your attribute groups.

              You have just created a connector with one API request defined and confirmed that it is connecting to CLM using the Authorization Code Grant flow. Your connector and connection will work well until the access token expires in 30 days. The next section explains how to avoid access token expiration.

              Heartbeat

              You may recall from my previous post that adding “extended” to the scope list gives the access token a lifetime of 30 days and a refresh token that will allow new access tokens indefinitely. In theory, once a connection is established, Power Automate should correctly manage the refreshes forever. In my experience, the connections can still become invalid given enough idle time.

              The secret, then, is to minimize idle time so that the connection stays fresh. The way to do this is with a heartbeat process, also known as a tickler or keep-alive process. All you need to do is make sure that the connection is used regularly. To make this happen, set up an automated cloud flow with only one step: a single API call to CLM, using the same connection that your integration uses. Set this flow to run regularly; for example, daily. The flow will consume one or two seconds of CPU time per day, adding effectively zero overhead to the process, but ensuring that the connection does not become stale.

              In case the connection does expire, monitor the mailbox associated with the Power Automate user who established the connection. Power Automate is kind enough to send an email that the connection has a problem.

              Conclusion

              This post walked you through the process of building a Power Automate custom connector that can be reused in multiple applications. Once established, the connection will persist indefinitely through a heartbeat process and you will be notified if the connection has errors.

              As promised in the first post, in the next and final post, you will build multiple real-world integrations that will:

              • Trigger the Wait for Signal workflow step from within CLM

              • Move documents and metadata in and out of CLM

              • Start a Doc Gen form, possibly with prefilled values

              • Start a workflow, with or without data in Params

              • Query CLM directly from a chatbot

              Additional resources

              Author Marty Scholes
              Marty ScholesManager, ISV Partner Solution Architects

              Marty Scholes has over 20 years of broad experience in the development and administration of database, storage, network systems, applications, and service management. He leads a team of Docusign Partner Success Architects who assist Docusign partners to design and deliver solutions that delight clients. Marty helps people master deep technical concepts so that they can make the most of technology.

              More posts from this author

              Related posts

              • Leveraging Docusign AI and Salesforce for Improved Contract Management
                Developers

                Leveraging Docusign AI and Salesforce for Improved Contract Management

                Author Subbarao Pydikondala
                Subbarao Pydikondala
              • Event Notifications using JSON SIM and HMAC

                Event Notifications using JSON SIM and HMAC

                Author Jonathan Sammons
                Jonathan Sammons
              Leveraging Docusign AI and Salesforce for Improved Contract Management

              Leveraging Docusign AI and Salesforce for Improved Contract Management

              Author Subbarao Pydikondala
              Subbarao Pydikondala
              Event Notifications using JSON SIM and HMAC

              Event Notifications using JSON SIM and HMAC

              Author Jonathan Sammons
              Jonathan Sammons

              Discover what's new with Docusign IAM or start with eSignature for free

              Explore Docusign IAMTry eSignature for Free
              Person smiling while presenting