Skip to main content
arrow-left Back to Docusign.com
Question

JWT Grant returning invalid_grant : user_not_found despite correct setup

  • December 19, 2025
  • 2 replies
  • 76 views
R
Newcomer
Forum|alt.badge.img

Hi all,

I’m stuck with a DocuSign JWT Grant issue and would appreciate help from anyone who has seen this before.

Problem

Calling the token endpoint consistently returns:

{
  "error": "invalid_grant",
  "error_description": "user_not_found"
}

Token Request

POST https://account-d.docusign.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=<signed_jwt>

JWT Details

  • alg: RS256

  • iss (Integration Key):
    0a09f94b-xxxx-xxxx-xxxx-722da7e2846a

  • sub (User ID):
    3af994a5-xxxx-xxxx-xxxx-adf23dce0cd3

  • aud: account-d.docusign.com

  • scope: signature impersonation

  • iat/exp: valid, exp < 1 hour

JWT is signed with the private key matching the public key uploaded in Apps & Keys.

Account & User Info

  • API Account ID:
    1978465f-xxxx-xxxx-xxxx-f03fa526107f

  • User is:

    • Active

    • Admin

    • Member of the same account as the integration key

  • JWT Grant is enabled on the app

Consent

Consent was granted successfully using:

https://account-d.docusign.com/oauth/auth
?response_type=code
&scope=signature%20impersonation
&client_id=0a09f94b-xxxx-xxxx-xxxx-722da7e2846a
&redirect_uri=<valid_redirect_uri>

Consent was granted while logged in as the same user used in sub.

What I’ve already verified

  • Correct user ID copied from Admin → Users

  • User belongs to the same account as the integration key

  • User is admin and active

  • Consent granted for the same user

  • Correct demo OAuth domain (account-d.docusign.com)

  • Public/private key pair matches

  • Same result in Postman and backend

Question

Given all of the above:

Under what conditions does DocuSign return user_not_found for JWT when the user clearly exists, is active, has consent, and belongs to the same account as the integration key?

Is there:

  • An additional app-level user assignment requirement?

  • A hidden account context or default-account constraint?

  • A known DocuSign demo environment quirk with JWT?

Any insight from DocuSign dev or experienced developers would be greatly appreciated. I’m happy to provide additional details if needed.

Thanks!

    2 replies

    JohnSantos
    Guru
    Forum|alt.badge.img+21
    • JohnSantosGuru
    • Guru
    • December 19, 2025

    @Rahul Frost 

    Even when you “copy the User ID from Admin”, it’s easy to accidentally grab the wrong identifier (membership id vs user id), or grab it from prod while calling the demo OAuth host or grab it from a different account context.

    Confirm this for me: 

    • Do an Authorization Code Grant token exchange (not just “consent granted”, actually exchange the code for an access token).
    • Call GET https://account-d.docusign.com/oauth/userinfo
    • Use the sub returned there as the JWT sub.

    If the sub from /oauth/userinfo doesn’t match what you’re putting in the JWT, that’s your answer.

    Welcome to the DocuSign Community! Your feedback is highly valued. If you find my response helpful, please give it a "Like" and consider marking it as the "Best Answer" to assist others with similar issues.
    F
    Docusign Employee
    Forum|alt.badge.img
    • Felipe.AlarconDocusign Employee
    • Docusign Employee
    • December 22, 2025

    Hi ​@Rahul Frost ,

    The error “invalid_grant: user_not_found” in the JWT flow occurs when the JWT’s subject (sub) does not resolve to a user in the specific Account you’re calling. Please verify the following:

    • Copy the sub value directly from Admin → Users in the Demo environment, and ensure it’s a GUID for that user (not an email or the API Account ID).
    • Confirm consent was granted in the same environment you’re calling. If you’re posting to account-d.docusign.com, grant consent in Demo with the same Demo user and the same Demo integration key. See consent guidance:  https://developers.docusign.com/platform/auth/consent/.
    • Ensure the aud claim and token endpoint match the environment exactly: aud=account-d.docusign.com and POST to  https://account-d.docusign.com/oauth/token. See JWT requirements:  https://developers.docusign.com/platform/auth/jwt/.
    • Re-check claims and signing: iss = Integration Key (GUID), sub = user GUID, scope includes signature impersonation, alg=RS256; signed with the private key corresponding to the public key uploaded for the app. See JWT overview:  https://developers.docusign.com/platform/auth/jwt/.
    • Use jwt.io to decode and validate the assertion: confirm the header/body claims (iss, sub, aud, iat/exp, scope), verify RS256, and ensure the signature validates against the public key you uploaded.

    If you continue to experience issues, please submit a ticket to Docusign Support at  https://support.docusign.com. For your privacy and security, do not publish or share sensitive account information (e.g., integration key GUIDs, user GUIDs, private keys, or account-specific details) in public forums or tickets.

     

    Hope that helps
    Best regards,

    Code of ConductAccessibility statement

    Docusign Community

    Code of Conduct