Blog
Home/

New Connect feature: HMAC signatures for added security

Author Larry Kluger
Larry KlugerDocuSign Lead Product Manager for Partner Platforms
    • What is an HMAC signature?
      • Securing your application
      • Documentation
      • The cryptography of HMAC signatures
      • Let’s talk in person at Momentum!

    Table of contents

    By Larry Kluger and Joey Peng

    We’re pleased to announce a new feature for the Docusign Connect webhook system: HMAC signatures. The new feature is available May 22, 2019 for all developer sandbox (demo) accounts. It is scheduled to be enabled for all production accounts by May 31. The new feature will be available at no additional cost. HMAC provides an easier setup of Connect security compared to Mutual TLS and is much more secure than basic authentication.

    What is an HMAC signature?

    An HMAC (Hash-based Message Authentication Code) signature is a form of a digital signature. HMAC signatures start with a secret key that is shared between the sender (Docusign Connect) and the recipient (your application’s listener server).

    The Connect HMAC signatures provide two cryptographically strong information security guarantees:

    • Authentication of the sender. Assuming that you carefully secure the HMAC secret key(s), a verified HMAC signature guarantees that the message was sent by Docusign.

    • Message integrity. Verification of the HMAC signature also guarantees the message’s integrity, confirming that the message was not changed by an unauthorized third party. The included hash can also be used to double-check content correctness.

    Securing your application

    To maintain the security of the HMAC signatures, you should change your secret keys periodically. The usual practice is once every 1-2 years.

    Docusign strongly recommends that you consult with your organization’s Information Security department or a consultant before setting up a server on the Internet.

    Documentation

    Documentation of the HMAC feature is available on the Docusign Developer Center under Connect HMAC. Code examples are also being developed.

    The cryptography of HMAC signatures

    The Wikipedia article on HMAC Signatures is a good starting point for exploring the technology of HMAC signatures.

    Let’s talk in person at Momentum!

    Both Larry and Joey will be at the Docusign Momentum conference from June 11-13, 2019 in San Francisco. Come discuss Docusign Connect with us, and more. And as a developer, your registration fee is zero dollars. See you there!

    Author Larry Kluger
    Larry KlugerDocuSign Lead Product Manager for Partner Platforms

    Larry Kluger has over 40(!) years of tech industry experience as a software developer, developer advocate, entrepreneur, and product manager. An award-winning speaker with a 48K StackOverflow reputation, he enjoys giving talks and helping the ISV and developer communities.

    Twitter: @larrykluger

    LinkedIn: https://www.linkedin.com/in/larrykluger/

    More posts from this author

    Related posts

    • Streamline End-to-End Agreement Management with Docusign: A Developer Overview
      Developers

      Streamline End-to-End Agreement Management with Docusign: A Developer Overview

      Author Larry Jin
      Larry Jin
    • Fast-Track Your Extension Apps with Reference Implementations

      Fast-Track Your Extension Apps with Reference Implementations

      Author Karissa Jacobsen
      Karissa Jacobsen
    Streamline End-to-End Agreement Management with Docusign: A Developer Overview

    Streamline End-to-End Agreement Management with Docusign: A Developer Overview

    Author Larry Jin
    Larry Jin
    Fast-Track Your Extension Apps with Reference Implementations

    Fast-Track Your Extension Apps with Reference Implementations

    Author Karissa Jacobsen
    Karissa Jacobsen

    Discover what's new with Docusign IAM or start with eSignature for free

    Explore Docusign IAMTry eSignature for Free
    Person smiling while presenting