Invalid Grant - "no_valid_keys_or_signatures"

Hi my name is Eric and I'm on the Docusign Developer Support team.

The error you are having is very generic, since there may be many edges involved.

I share what the documentation of this error indicates:

“The invalid_grant error is a generic error response that means something is incorrect in the JWT assertion. In order to determine what is wrong, refer to the error_description parameter in the response. If the error_description isn't readily available in your application, we recommend setting up error logging that captures the full error response.

Authentication error responses:

• consent_required: If using individual consent, make sure consent has been granted for the desired scopes. The signature impersonation scope is the minimum required for JWT authentication, but other scopes may be necessary for Rooms or Admin functions.
• invalid_subject or user_not_found: Something is likely wrong with the sub (subject) value in the assertion. Confirm that the value is a valid GUID user ID (not an email address) of a user that is active in the relevant environment.
• Issuer_not_found: The integration key in the iss (issuer) parameter is unavailable in the current environment. This can also mean a mismatch in the aud (audience) value and the environment being hit: for example, using an aud value of account.docusign.com while requesting a token from https://account-d.docusign.com/oauth/token.
• no_valid_keys_or_signatures: This error covers several cases:
  • There is an issue with the private key used to sign the assertion (for example, using a demo key in the production environment).
  • The assertion is missing an exp (expiration) parameter
  • The aud (audience) parameter is invalid - confirm the audience value is exactly account.docusign.com or account-d.docusign.com with no https:// prefix or trailing slash (/).
  • An nbf (not valid before) parameter is defined, and that time has not been reached. The nbf parameter is optional and can be removed from the assertion, but if it is present, it must be a time in the past.
• expired_grant: The assertion has expired. The exp (Expiration) parameter must be a time in the future.”

As you can see the no_valid_keys_or_signatures has several possible errors.

Since you are using a third party and if the problem persists I would recommend that you open a ticket with the Appian team, since there may also be problems with the code they are using to create the access token.

Regards,

Eric | Docusign

Hi Eric, 

As I mentioned before, the code for creating the access token in dev. is same as in test and production environments. I am having issue only in DEV. Do I need to create a new connection for Docusign for Dev. and give it a try?

Thanks. 

@Sandhya  - 

Here are some steps you can take to troubleshoot and resolve the issue:

1. Verify Configuration Consistency: Double-check all configuration settings across DEV, TEST, and PROD environments. Ensure that the client IDs, client secrets, token endpoints, and any other relevant configurations are identical where they should be and different where necessary.

2. Check User Permissions: Ensure that the user whose ID (ri!userId) is being used to generate the JWT token in the DEV environment has the appropriate permissions in DocuSign. This user might need specific roles or scopes to access the DocuSign API.

3. Review DocuSign API Logs: Check the DocuSign API logs or error logs for any additional information related to the "invalid grant" error. This might provide more insights into what specifically is failing during the authentication process.

4. Review JWT Generation Code: Review the code responsible for generating the JWT token (createdocusignrsajwttoken function in your case). Make sure that all parameters are correctly set, and there are no issues with how the JWT token is being constructed, especially the private key.

5. Test Token Generation Independently: If possible, try to isolate the token generation process and test it independently of the integration. Ensure that the JWT token is being generated correctly and that it is valid when used to request an access token from the DocuSign API.

Thank you so much @JohnSantos. Will check the points you mentioned. Have a good day!