Create an RSA key pair in the DocuSign Developer or Production admin console and note your integration key (client ID).
Build a JWT with header alg RS256, and claims: iss=YOUR_INTEGRATION_KEY, sub=YOUR_USER_ID, aud=account-d.docusign.com for demo or account.docusign.com for production (no https:// scheme in the aud value), iat, and exp.
Sign the JWT with your RSA private key.
POST the JWT to https://account-d.docusign.com/oauth/token (demo) or https://account.docusign.com/oauth/token (production) with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer and assertion=YOUR_SIGNED_JWT.
Extract access_token from the JSON response and use it as a Bearer token for API calls.
Re-request the token before expiry; JWT grant tokens typically expire within one hour.
Known gotchas
The aud claim must be the bare hostname — account-d.docusign.com for demo and account.docusign.com for production — without an https:// scheme prefix; including the scheme will cause JWT validation to fail.
The impersonated user must have previously granted consent to your application; initiate the consent flow once via the browser-based OAuth authorization URL if consent has not been given.
Use the correct environment pair — demo integration key and demo token endpoint for sandbox, production credentials only against the production endpoint.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp