OAuth token endpoint accepts invalid Integration Key in Authorization header

Forum|Forum|2 months ago
September 10, 2025
0 replies
16 views

DmitryK
Newcomer

When requesting an access token via the Authorization Code Grant flow, the integration key provided in the Authorization header is not being validated.

For testing, I intentionally sent an invalid or even empty integration key in the header, but the /oauth/token endpoint still returned a 200 OK with a valid access_token and refresh_token.

API
Authentication
OAuth
Access Token

Code of Conduct Accessibility statement

Sign up

Already have an account? Login

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Customer Login/Registration Developer Login/Registration

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Customer Login/Registration Developer Login/Registration

Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.

Enter your e-mail address

Back to overview

Scanning file for viruses.

Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.

This file cannot be downloaded

Sorry, our virus scanner detected that this file isn't safe to download.

Docusign Community

Code of Conduct