How to setup DocuSign eSignature Spoke Using JWT GrantSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The DocuSign eSignature Spoke supports two OAuth 2.0 authentication methods for establishing secure communication between ServiceNow and DocuSign: Authorization Code Grant – Recommended when your integration involves user-driven authentication flows where a browser or client interacts with a web server.JWT (JSON Web Token) Grant – Recommended for system-to-system integrations where a single service account is used to authenticate all API calls. For detailed guidance on selecting the appropriate grant type, refer to Choose OAuth Type – DocuSign Developer Documentation. This article guides you through configuring the DocuSign eSignature Spoke in ServiceNow using the JWT Grant. If you want to set up the DocuSign eSignature Spoke using the Authorization Code Grant, see Setup DocuSign eSignature Spoke Using Authorization Code Grant – ServiceNow Documentation. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } N/A Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Step 1: Configure DocuSign Account Complete these steps from your Docusign account. From your DocuSign account, register a new application.Generate the Integrator Key (Client ID) and Secret Key for your application.Record both values, as they will be required when registering DocuSign as a third-party OAuth provider in your ServiceNow instance.Click Add RSA Keypair, and note the following details: Key Pair ID Public KeyPrivate Key (Store the Private Key securely. It will be required later during the ServiceNow configuration.) Add the ServiceNow OAuth Redirect URL in your DocuSign application settings:Navigate to Additional Settings → Add URI.Enter the callback URL in the following format:https://<instance>.service-now.com/oauth_redirect.do Obtain Account Base URI Navigate to Settings → Integrations → Apps and Keys.Under the My Account Information section, locate the Account Base URI.Copy and record this value, as it will be required later when configuring the connection in ServiceNow. Step 2: Generate the JKS Certificate Generate a Java KeyStore (JKS) certificate to authenticate the DocuSign eSignature Spoke in ServiceNow using the JWT (JSON Web Token) grant method. Open a code editor and create a new file.Paste the Private Key generated from your DocuSign integrator application. Ensure both lines -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- are included. Save the file as docusign_private.key.Open a terminal and navigate to the file directory.Generate a CA-signed certificate using the command: openssl req -new -x509 -key docusign_private.key -out docusign_certificate.pem -days 1095 Enter the required details (Country, State, Organization) when prompted.Create a PKCS#12 file (.p12): openssl pkcs12 -export -in docusign_certificate.pem -inkey docusign_private.key -certfile docusign_certificate.pem -out docusign_keystore.p12 Note: Record the export password securely. Convert the .p12 file to a Java KeyStore (.jks) file: keytool -importkeystore -srckeystore docusign_keystore.p12 -srcstoretype pkcs12 -destkeystore docusign_keystore.jks -deststoretype JKS Provide the source and destination keystore passwords when prompted. Step 3: Attach the Java KeyStore Certificate to the DocuSign eSignature Spoke Enable JWT Bearer Grant token-based authentication by attaching a valid Java KeyStore (JKS) certificate to the DocuSign eSignature Spoke in your ServiceNow instance. Navigate to All → System Definition → Certificates.Click New.In the Certificate form, click the Attachments icon (📎) and upload the JKS certificate file you generated earlier.Update the correct keystore password.Once the certificate is attached, click Validate Stores/Certificates to verify that the keystore has been successfully imported and is valid. Step 4: Create a JWT Signing Key for the DocuSign eSignature Spoke Create a JSON Web Token (JWT) signing key and associate it with your Java KeyStore (JKS) certificate. This key will be used by ServiceNow to generate and sign JWTs during the authentication process with DocuSign. Ensure that the JKS certificate has been successfully uploaded and validated in System Definition → CertificatesNavigate to All → System OAuth → JWT Keys.Click New.Complete the form with the following details: Name: Provide a meaningful name (for example, DocuSign JWT Key).Certificate: Select the JKS certificate you uploaded in the previous step.Algorithm: Choose RS256 (recommended for DocuSign integrations). Enter the correct signing keyClick Submit to save the JWT signing key. Step 5: Create a JWT Provider for the DocuSign eSignature Spoke Create a JSON Web Token (JWT) provider in ServiceNow to generate signed JWT assertions for authenticating with the DocuSign eSignature Spoke via the JWT Grant flow. Navigate to All → System OAuth → JWT Providers.Click New.Complete the form with the following details: Name: Enter a unique name (e.g., DocuSign JWT Provider)Expiry Interval (sec): Token lifespan in seconds (e.g., 3600)Signing Configuration: Select the JWT signing key created earlier (e.g., DocuSign JWT Key) Right-click the form header and select Save. After saving, Standard Claims and Custom Claims related lists appear.In the Standard Claims related list, add: iss: <your_integration_key>sub: <your_user_ID>aud: account-d.docusign.com (demo) or account.docusign.com (production) Notes: iss (Issuer): DocuSign Integration Key (Client ID)sub (Subject): DocuSign user ID for the service accountaud (Audience): DocuSign authorization server URL In the Custom Claims related list, add: Claim Name: scopeClaim Value Type: stringClaim Value: signature impersonation Click Update to save the record. Step 6: Register DocuSign as an OAuth Provider Register DocuSign as an OAuth provider to allow the ServiceNow instance to request OAuth 2.0 tokens.Navigate to All → System OAuth → Application Registry.Click New. When prompted, select Connect to a third party OAuth Provider.Complete the form: Name: Enter a unique name (e.g., DocuSign OAuth)Client ID: Enter the integrator key from your DocuSign accountClient Secret: Enter the client secret from your DocuSign accountDefault Grant type: Select JWT Bearer Authorization URL: Developer sandbox: https://account-d.docusign.com/oauth/authProduction: https://account.docusign.com/oauth/auth Token URL: Developer sandbox: https://account-d.docusign.com/oauth/tokenProduction: https://account.docusign.com/oauth/token Right-click the form header and click Save.The system validates the OAuth credentials and populates the Redirect URL.An OAuth Entity Profile is created with Grant Type as JWT Bearer (e.g., Docusign OAuth default_profile).In the OAuth Entity Scopes related list, add: Name: scopeOAuth Scope: signature impersonation Click Update to save the record. Step 7: Obtain Consent Obtain explicit consent for the ServiceNow application from DocuSign. For organisation administrator consent, follow the instructions in the DocuSign developer documentation. Admin Consent for Internal Applications – DocuSign Developer Documentation. Step 8: Create Credential Records for the DocuSign eSignature Spoke Create Credential records for the DocuSign custom OAuth application. The DocuSign Spoke connection and credential alias use these credentials to authorize actions. Navigate to All → Connections & Credentials → Credentials.Click New. When prompted, select OAuth 2.0 Credentials.Complete the form: Name: Enter a unique name (e.g., DocuSign Credentials)Active: EnableOAuth Entity Profile: Select the OAuth profile created earlier Save the record. Click Get OAuth Token to generate the OAuth token. Step 9: Create Connection Records for the DocuSign eSignature Spoke Create Connection records to your DocuSign account. The DocuSign Spoke connection and credential alias use these connections to perform actions in DocuSign. Navigate to All → Connections & Credentials → Connection & Credential Aliases.Open the record for DocuSign.From the Connections tab, click New.Complete the form: Name: Enter a unique name (e.g., DocuSign Connection)Credential: Select the Credential record created for DocuSign (e.g., DocuSign Credentials) Connection URL: Demo environment: https://demo.docusign.netProduction: Base URI such as na2.docusign.net or eu.docusign.net (see DocuSign Developer documentation for instructions) Click Submit. The setup process is complete. You can now explore the bonus steps to test the integration. Bonus 1: Synchronize ServiceNow with DocuSign Schedule a job to synchronize Docusign with your ServiceNow instance daily, or synchronize data as needed. Schedule a job to synchronize Docusign data with your ServiceNow instance. Navigate to Docusign > Scheduled Job.The Get Accounts & Templates scheduled job opens.Select Active.The Docusign eSignature spoke synchronizes accounts, templates, and envelopes daily. Synchronize Docusign data as needed with a UI action. Navigate to Docusign > Accounts.The Accounts [sn_docusign_spoke_accounts] table opens.Click the Get Accounts related link.The system synchronizes all accounts linked through an OAuth Credential record and populates the Templates and Envelopes tables with Docusign data. Use template and envelope records when constructing flows. Bonus 2: Test the Integration with a Simple Spoke Action Use the Look up Accounts by Alias spoke action to test the integration.This action retrieves accounts associated with the spoke Connection and Credential alias records. If the tests above complete successfully, your DocuSign eSignature Spoke is ready to use. If you encounter any issues, please revisit the steps above or contact us for assistance whenever needed.