1

I read through the instructions here, which works if you're using Connect at the "account level" (i.e. all envelopes get sent through one account).

Our use case involves requiring a customer to log into DocuSign using their own account, so I'm now setting a callback on the envelope. When I receive the callback in this scenario, the HMAC signature headers aren't sent (X-DocuSign-Signature-1, X-DocuSign-Signature-2, etc.).

Has anyone experienced this? I'm in ruby/rails, using the docusign_esign gem, version 2.0.0.

I see an include_hmac parameter in DocuSign_eSign::ConnectCustomConfiguration, but it's not clear to me if you can use a custom configuration with an envelope-level callback.

Any help is appreciated.

Tim Swetonic
  • 19
  • 3

1 Answers1

2

The eventNotification object now includes an attribute includeHMAC.

If HMAC is set up at the account level, and includeHMAC is set to "true" then the HMAC headers will be included for per-envelope webhooks.

Unfortunately, the API call for setting up HMAC at the account level is not currently available. So customers need to have account-wide Connect to set the HMAC secret.

HMAC secrets are added and managed via the Connect Keys button in the Connect section of the eSignature Admin app:Connect Keys button

Larry K
  • 47,808
  • 15
  • 87
  • 140
  • Thanks I'll check this out. – Tim Swetonic Jan 23 '21 at 21:42
  • This sounds like a "ISV partner" integration. You can follow the above process, but each customer will need to have/add at least one HMAC key to their account and share it with you. Your integration will need to manage these on a per-customer basis. If you wish to add security without the risk and overhead of managing per-customer secrets, I recommend using Mutual TLS instead. – WTP Jan 25 '21 at 16:51