Configure a Connect subscription with HMAC authentication enabled, recording the HMAC secret for later verification
In the webhook receiver, extract the X-DocuSign-Signature-1 header, compute HMAC-SHA256 over the raw request body using the stored secret, and reject any request where the computed digest does not match
Persist the raw payload and a processing status flag to an idempotent store keyed on the envelopeId and eventType to support safe replay
If downstream processing fails, call the Connect retry endpoint (POST /accounts/{accountId}/connect/envelopes/{envelopeId}/retry_queue) to instruct DocuSign to re-deliver the event
Monitor the Connect failure log endpoint (GET /accounts/{accountId}/connect/failures) to identify envelopes whose events were never delivered and manually trigger reprocessing
Known gotchas
DocuSign rotates HMAC keys on a schedule; subscriptions with multiple keys listed will validate against all active keys in parallel, so the receiver must check all provided secrets before rejecting
The retry endpoint enqueues a new delivery attempt but does not guarantee immediate redelivery; under high load, retried events may be delayed by minutes
Returning a non-200 HTTP status from the receiver endpoint causes DocuSign to mark the delivery as failed and schedule a retry; idempotency handling in the receiver is essential to avoid double-processing retried events
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp