In the DocuSign Admin console, configure a Connect subscription pointing to your HTTPS endpoint and enable HMAC authentication, saving the generated HMAC key.
On each inbound POST, read the X-DocuSign-Signature-1 header and the raw request body bytes.
Compute HMAC-SHA256 of the raw body using your stored HMAC key, then base64-encode the digest.
Compare your computed value to the header value using a constant-time string comparison; reject requests that do not match with HTTP 401.
Parse the XML or JSON payload (depending on your Connect format setting) to extract envelopeId and status, then enqueue processing to avoid timing out the HTTP response.
Known gotchas
You must use the raw unparsed body bytes for HMAC computation; re-serializing a parsed object will change whitespace and produce a wrong digest.
DocuSign can deliver events multiple times; design your handler to be idempotent, keyed on envelopeId plus status.
Connect delivery failures trigger retries; respond with HTTP 200 quickly (under a few seconds) and do heavy processing asynchronously.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp