In the DocuSign developer console, create an integration key (client ID), upload an RSA public key, and note the private key for your server.
Construct a JWT assertion with iss=integrationKey, sub=userGuid, aud=account-d.docusign.com (demo) or account.docusign.com (prod), and the required scopes (e.g., signature impersonation) in the scope claim.
POST the signed JWT to /oauth/token with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer to receive an access token.
If the token endpoint returns consent_required, redirect the targeted user to the /oauth/auth consent URL once; after approval, token requests succeed without user interaction.
Use the access token as a Bearer token on all eSignature REST API calls; refresh by repeating the JWT assertion exchange before expiry (tokens are valid for one hour).
Known gotchas
Each user whose sub appears in the JWT must have individually granted consent; a single admin consent does not cover all users in the account.
Clock skew between your server and DocuSign's auth server greater than a few minutes will cause JWT validation failures — keep NTP synchronized.
The impersonation scope is required for acting on behalf of users other than the app's own service account; request it explicitly or token calls will return insufficient_scope.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp