I’m writing a Python/Django integration with DocuSign, where users will be sent from another application to DocuSign to sign a document, and then be sent back to the initial application. These users do not have DocuSign accounts.
I am currently using "request_jwt_user_token" alongside our service account generate the an envelope, attach a document, and create a recipient view. At the end this returns us a url like:
https://demo.docusign.net/Signing/MTRedeem/v1/[random_string]?slt=[random_long_string]
I’m pretty sure the first random string is an identifier and the latter is an access token?
What I’m trying to understand is how secure this info is to pass on to arbitrary users. I’m keeping the jwt expiration low and setting the jwt scope to ["signature", "impersonation"]. But can the slt token be used to access other envelopes or do other signature api calls? I assume it can’t be used for anything outside of signing due to the scope.
>Solution :
The URL you posted here has nothing to do with JWT. It’s an embedded signing URL that you can redirect your user in order to complete signing. They can then be redirected back to your app after they’re done.
This URL expires in 5 minutes (or 2 minutes) and so it’s very secure. It is also a URL that can be used only by one user (the one you set as the user signing the envelope and generated with the clientUserId)
The access token can be used to access other envelopes etc, but that access token is NOT in this URL and should never be shared etc.