Skip to main content
arrow-left Back to Docusign.com
Question

JWT Grant returning invalid_grant : user_not_found despite correct setup

  • December 19, 2025
  • 0 replies
  • 4 views
R
Newcomer
Forum|alt.badge.img

Hi all,

I’m stuck with a DocuSign JWT Grant issue and would appreciate help from anyone who has seen this before.

Problem

Calling the token endpoint consistently returns:

{
  "error": "invalid_grant",
  "error_description": "user_not_found"
}

Token Request

POST https://account-d.docusign.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=<signed_jwt>

JWT Details

  • alg: RS256

  • iss (Integration Key):
    0a09f94b-xxxx-xxxx-xxxx-722da7e2846a

  • sub (User ID):
    3af994a5-xxxx-xxxx-xxxx-adf23dce0cd3

  • aud: account-d.docusign.com

  • scope: signature impersonation

  • iat/exp: valid, exp < 1 hour

JWT is signed with the private key matching the public key uploaded in Apps & Keys.

Account & User Info

  • API Account ID:
    1978465f-xxxx-xxxx-xxxx-f03fa526107f

  • User is:

    • Active

    • Admin

    • Member of the same account as the integration key

  • JWT Grant is enabled on the app

Consent

Consent was granted successfully using:

https://account-d.docusign.com/oauth/auth
?response_type=code
&scope=signature%20impersonation
&client_id=0a09f94b-xxxx-xxxx-xxxx-722da7e2846a
&redirect_uri=<valid_redirect_uri>

Consent was granted while logged in as the same user used in sub.

What I’ve already verified

  • Correct user ID copied from Admin → Users

  • User belongs to the same account as the integration key

  • User is admin and active

  • Consent granted for the same user

  • Correct demo OAuth domain (account-d.docusign.com)

  • Public/private key pair matches

  • Same result in Postman and backend

Question

Given all of the above:

Under what conditions does DocuSign return user_not_found for JWT when the user clearly exists, is active, has consent, and belongs to the same account as the integration key?

Is there:

  • An additional app-level user assignment requirement?

  • A hidden account context or default-account constraint?

  • A known DocuSign demo environment quirk with JWT?

Any insight from DocuSign dev or experienced developers would be greatly appreciated. I’m happy to provide additional details if needed.

Thanks!

    Code of ConductAccessibility statement

    Docusign Community

    Code of Conduct