Skip to main content
arrow-left Back to Docusign.com
Question

Production JWT Authentication - USER_AUTHENTICATION_FAILED on Envelope Creation

  • January 8, 2026
  • 1 reply
  • 38 views
F
Newcomer
Forum|alt.badge.img

I'm getting USER_AUTHENTICATION_FAILED errors when creating envelopes via the API in production, even though JWT token generation and get_user_info() succeed.

Setup:

  • Production account: eSignature Business Pro
  • Authentication: JWT (Service Integration with RSA keypair)
  • Integration Key
  • SDK: docusign-esign Python

What Works:

JWT token generation succeeds

get_user_info() returns account details

Admin consent granted

What Fails:

EnvelopesApi.create_envelope() returns:

 

Error: (400) Bad Request errorCode: USER_AUTHENTICATION_FAILED message: "One or both of Username and Password are invalid." Trace-Token:

Code flow:

  1. Get JWT token via request_jwt_user_token()
  2. Call get_user_info() to get account_id and base_uri
  3. Set base_path to account.base_uri + '/restapi'
  4. Set Authorization header with Bearer token
  5. Call create_envelope() with account_id → fails with USER_AUTHENTICATION_FAILED

 

Question: Is there a production account permission or configuration needed beyond what's shown in the Apps and Keys settings?

1 reply

D
Docusign Employee
Forum|alt.badge.img+2
  • Drew.MartinDocusign Employee
  • Docusign Employee
  • January 9, 2026

This one’s a bit difficult to diagnose without specifics. If the token request and the userinfo call are both successful that generally means the user is active and ready to go, and If this were a permission/feature error, that would generally be called out in the error message.

The  USER_AUTHENTICATION_FAILED message: "One or both of Username and Password are invalid." generally means the Authorization header isn’t being “accepted” as correct - either the token was generated from the wrong environment (demo vs prod), or the header itself is malformed. If you are indeed setting yours to be “Bearer xxxyyyzzz” then you should be good.

I’d recommend debugging or using a network tracing tool like Fiddler to check your application’s traffic to confirm that 1) the token request is indeed happening against the Production site (account.docusign.com - NOT account-d.docusign.com) and 2) the base_path is correctly set to one of the production sites (anything but demo.docusign.net). 3) the Authorization header looks correct

 

If that all checks out, I’d recommend opening a support case including all of the above as well as

  • the user ID you’re authenticating as
  • the integration key
  • a fresh tracetoken if one is available
Code of ConductAccessibility statement

Docusign Community

Code of Conduct