Back to Docusign.com
Idea Description:
Recent incidents in the SaaS ecosystem have highlighted critical security gaps where third-party applications accidentally exposed Access Tokens or API credentials, leading to unauthorized API activity. As described in Okta’s analysis of recent breaches, enforcing strict network-based controls on API usage is an essential layer of protection.
https://www.okta.com/newsroom/articles/first-drift--now-gainsight--closing-the-gaps-in-saas-hygiene/
Today, Docusign API integrations often require developers to access private keys or integration secrets during building and maintenance. However, once developers leave the company or when keys unintentionally end up in code repositories, these credentials may still be used to call Docusign APIs from unauthorized locations. This creates significant security risks for customers, especially considering that contracts are among the most sensitive enterprise assets.
To mitigate these risks, we propose that Docusign introduce network-level security controls for API integrations, similar to Okta and Salesforce:
Requested Features
-
Network Allowlist / Blocklist per Integration Key (Apps and Keys)
Allow administrators to restrict API calls to specific IP ranges, corporate networks.
This ensures that even if tokens or keys are leaked, attackers cannot call Docusign APIs from unapproved networks. -
Network Conditions as a Core Security Feature (available across all plans)
Since this is foundational security—similar to Salesforce’s Login IP Ranges—it should be available to all customers, not limited to higher editions. -
Optional enforcement policies
-
“Block API requests from unknown networks”
-
“Allow specific IP ranges only”
-
“Alert or log when API calls come from new locations”
-
-
Audit Trail Enhancements
Show the source IP, geo, and network of each API call for monitoring and incident investigation.
Customer Value
-
Protects against leaked API keys or tokens being used from unauthorized networks
-
Helps customers meet compliance and internal security standards
-
Reduces risk when developers rotate, offboard, or change roles
-
Provides essential zero-trust protections in a growing threat landscape
-
Aligns Docusign with industry-leading security practices (Okta, Salesforce)
FreeLink/甫连信息
🌍 DocuSign Partner | Partner Profile
🌟The only DocuSign Partner globally with two Certified eSignature Technical Consultants
🏆 DocuSign 2025 APAC Growth Engine Partner of the Year
💡 Ranked #1 in the OG All Star category in DocuSign Community Wrapped 2024
📊 DocuSign Community Leaderboard Top 5 contributor
🚀 Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries
🔗 Connect with me on LinkedIn: https://www.linkedin.com/in/gehengfeng
📬 For business inquiries, feel free to connect via :
WeChat/微信: +86 1381880287
WhatsApp: +65 97796938