Docusign API Basic User Password Authentication Retirement
Docusign is deprecating basic authentication. Find out how this affects your integration and how to migrate to secure authentication methods.
Notice: Docusign API basic user password authentication retirement—REST and SOAP
Docusign is deprecating basic user password authentication methods (the X-Docusign-Authentication header) for first-party integration keys (eSignature for Salesforce, Dynamics, Print Driver, etc.) and partner integrations.
Please be aware Docusign has been actively working with customers to migrate to a better authentication method since 2022. Most of our customers have successfully migrated. As your vendor, we want to encourage you to start planning for the migration because legacy authentication is less secure than modern authentication. Legacy authentication can be more easily compromised by cyberattacks such as phishing, brute-force attacks, and credential stuffing. These types of attacks can be used to steal user credentials and gain unauthorized access to sensitive information. Customers using legacy authentication should migrate as soon as possible.
While most of our customers have migrated successfully, we understand that this has been a complicated and time-consuming process for some customers, and particularly, partners with large groups of end users.
Updated phase of legacy authentication retirement
We have set the final date for end-of-life of legacy authentication at September 30th, 2024.
We will be ending all technical support for legacy authentication at that time as well as blocking integrations.
Customers should migrate as soon as possible to prevent potential service interruptions.
Customers currently on exception requests will have those honored. It is highly encouraged that the original timeline is respected. We will not be giving any extensions past September 2024.
We encourage all customers remaining on Legacy Authentication to contact Docusign Support in the event technical migration assistance is needed.
If you are one of our Docusign Partners, you can reach out to your partner advisor or our Partner Program if you need assistance to finish the migration or file an exception request. You can also follow the steps below to file for an exception request.
Filing for a support case
Follow these steps to create a case with our Developer Support team:
Log in to Docusign Support.
Select Get Support from the header.
Select Open a Support Case, then New Case, and select the account containing the integration key affected.
Choose the case subject by selecting Integration, API, Development, then Docusign APIs. Select Add Case Details.
Fill in the case details appropriate to your request: either request an exception to basic authentication deprecation, or request Docusign Support assist you with your migration. Note: This same form can also be used for any integration support requests you may have.
Phase 2 Update
Docusign is committed to maintaining exceptional levels of security and operability across all of its products and integrations. In keeping with this commitment, we will be kicking off Phase 2 migration of basic user password authentication API methods starting on August 31, 2023. Integrations using these methods will need to migrate to a more secure authentication standard.
Who are impacted in Phase 2
If your app doesn’t use OAuth 2.0 to authenticate, you must update it to use OAuth 2.0 (for REST) or App Password (for SOAP) authentication prior to August 2023.
Phase 1 carry over:
REST NA2 partners
All TCSM customers
Workday has an exception until March 2024 as they work on updating their integration to OAuth in close partnership with Docusign.
If you require an extension:You will have a eight-month grace period to file for an exception from August 2023 to March 2024 to ensure the transition is completed or work with Docusign resources to transition. Once an exception is approved, the integration can stay on basic user password authentication until September 2024.
Future deprecation phases:Some partners have received extensions in Phase 1 which will stay effective in Phase 2. We will continue to work closely with our partners to monitor the health of this program. Details on additional phases for this deprecation will be announced as we monitor progress on the first phase.
Phase 1:
Docusign is in the process of retiring basic user password authentication API methods (see OAuth 2.0 requirements and migration on the Developer Center for more details) that authenticates each API call by passing the user’s email and password in each API authentication header. We are targeting both SOAP and REST integrations to ensure that all methods of accessing Docusign are kept up to industry and Docusign security standards.
Docusign will deprecate basic user password authentication (used in the X-Docusign-Authentication header) for all first-party integrations (eSignature for Salesforce, Dynamics, Print Driver, and others) and some third-party partner integrations. For the first phase of this process, we will be targeting the following integrations:
For SOAP integrations, we will be targeting all Partner Integrations as a part of Phase 1.
For REST integrations, we will be addressing ONLY NA1 Partner Integrations as a part of Phase 1.
For first-party Integrations (Docusign for Salesforce, Print Driver, etc.): We will be working internally to address the first-party (Docusign-built) integrations migration path. No action is needed from customers at the moment. We will reach out separately to customers with our first-party integrations migration plan.
Note: We will send emails to Partners who are impacted soon. If you are not sure if you are part of Phase 1, please keep track of your inbox or check in with your Partner advisors.
Non-partner integrations will be addressed in a later phase.
Beginning October 20, 2022 and up to March 2023, partners included in the first phase of deprecation will be permitted to file a request for an exception to receive additional time to ensure the transition is completed, or to work with Docusign Support resources to complete their transition to secure authentication protocols. Once an exception is approved, the integration can stay on basic user password authentication until September 2023. After March 2023, all integrations from the first phase that do not have exception approvals will not be able to use basic user authentication to authenticate against Docusign. To learn more about the process of migrating to a more secure auth method and/or to file for an exception, see below.
Action required
If your integration has been identified as using a method of basic user password authentication which will no longer be supported after March 2023, see OAuth 2.0 requirements and migration on the Docusign Developer Center for instructions and resources to guide your migration. If you are unsure how to update your integration, or do not have the resources to do so, we recommend opening a case with Docusign Developer Support following the instructions given here.
Docusign Partner
If you are one of our Docusign Partners, you can reach out to your partner advisor or our Partner Program if you need assistance to finish the migration or file an exception request. You can also follow the steps below to file for an exception request.
Filing for a support case
Follow the steps below to create a case with our Developer Support team.
Log in to Docusign Support.
Select Get Support from the header.
Select Open a Support Case, then New Case, and select the account containing the integration key affected.
Choose the case subject by selecting Integration, API, Development, then Docusign APIs. Select Add Case Details.
Fill in the case details appropriate to your request: either request an exception to basic authentication deprecation, or request Docusign Support assist you with your migration.Note: This same form can also be used for any integration support requests you may have.
Future deprecation phases
Details on additional phases for this deprecation will be announced as we monitor progress on the first phase.
Additional resources
Sarah Zou is a Senior Platform PM at Docusign. Empowering users to protect their credentials and fighting identity stuffing attacks are her passions. Her work focuses on enabling customers to deploy Docusign in a way that matches their Identity Access Management strategy (i.e. SSO, OAuth, TFA, etc). You can find her on LinkedIn.
Related posts