Morning, in my team we are trying to implement an integration with DocuSign and according to the documentation, we need to setup an OAuth process. In order to do so, the steps we’ve followed are:Create a developer account Go to “Integrations” → “Apps and Keys” and create an app there with a secret key and also the redirect URIs and CORS configuration. As it is the first try, we used “http://localhost:3000” everywhere. We followed this link from the documentation: https://developers.docusign.com/platform/auth/authcode/confidential-authcode-get-token/ We’ve implemented a redirection from our frontend to get an authCode as stated in the documentation by calling https://account-d.docusign.com/oauth/auth with response_type=code,scope=signature cors,client_id={OUR_CLIENT_ID} and redirect_uri=http://localhost:3000 Afterwards, we are doing a POST request through axios to https://account-d.docusign.com/oauth with the parameters stated in the documentation (a header with Authorization: Basic {COMBINED TOKENS} and a body with { grant_type: ‘authorization_code’ and code: the retrieved code }. In this whole flow, we are getting the auth code, but when trying to exchange it for an access code inmediately after, we are getting an 400 BAD REQUEST with {"error":"invalid_grant","error_description":"unexpected_origin_included"}Anyone has any tip on how to proceed? We didn’t find this error anywhere in the documentation and are a bit stuck with the topic.

Docusign OAuth Invalid Grant with unexpected_origin_included

Morning,

in my team we are trying to implement an integration with DocuSign and according to the documentation, we need to setup an OAuth process. In order to do so, the steps we’ve followed are:

Create a developer account
Go to “Integrations” → “Apps and Keys” and create an app there with a secret key and also the redirect URIs and CORS configuration. As it is the first try, we used “http://localhost:3000” everywhere.
We followed this link from the documentation: https://developers.docusign.com/platform/auth/authcode/confidential-authcode-get-token/
We’ve implemented a redirection from our frontend to get an authCode as stated in the documentation by calling https://account-d.docusign.com/oauth/auth with response_type=code,scope=signature cors,client_id={OUR_CLIENT_ID} and redirect_uri=http://localhost:3000
Afterwards, we are doing a POST request through axios to https://account-d.docusign.com/oauth with the parameters stated in the documentation (a header with Authorization: Basic {COMBINED TOKENS} and a body with { grant_type: ‘authorization_code’ and code: the retrieved code }.
In this whole flow, we are getting the auth code, but when trying to exchange it for an access code inmediately after, we are getting an 400 BAD REQUEST with {"error":"invalid_grant","error_description":"unexpected_origin_included"}

Anyone has any tip on how to proceed? We didn’t find this error anywhere in the documentation and are a bit stuck with the topic.

Page 1 / 1

Hey @Haufe Onboarding,

I noticed that you are trying to use Authorization Code Grant token type (response_type=code) for a CORS call . This is not possible. Per our documentation, you must to use Implicit Grant (response_type=token) instead if you want to make API calls from client side.

I recommend you revoke the previous consent given for the integration key you are trying to work with and execute the consent request again with the correct response_type declared.

Keep in mind that when using Implicit Grant you don’t need to exchange the code returned for a token as the token is already returned through the callback URI and you just need to treat it on your end to collect the token and provide the logic on your end to grab a new token as soon as the previous generated expires.

Few resources to help you below:

so what's the type of your application? Web application? we mostly suggest use jwt for system integration.

FreeLink/甫连信息
DocuSign Partner | Partner Profile
2024 APAC Reseller Growth Partner of the Year
The first in APAC to pass the DocuSign eSignature Technical Consultant certification.
Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries.

Feel free to reach out for collaboration opportunities.

Okay, I guess I misunderstood the documentation @Renan Araujo many thanks. I’ll try your approach and reach back.

It it a web application @Hengfeng Ge

if your application is web applicaton and with backend, you can check generate token by JWT for one system user. and it need grant consent one time before get token.

https://developers.docusign.com/platform/auth/jwt/jwt-get-token/

for develper account, the consent ulr should like:

https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature impersonation&client_id=f8f502d1-cac9-328e-a0d5-9e2f2e413e8b&redirect_uri=https://localhost

Feel free to reach out for collaboration opportunities.

Reply

Sign up

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Scanning file for viruses.

This file cannot be downloaded