API integrator key location

Question

We have completed an integration between our workflow application and docusign. Our integration has been certified by Docusign

So now when a user creates an account (lets say a Standard plan) and they want to integrate their account with our application. Do they need to enter our Integrator key? If so where do they find this?

Thanks in advance Brent

Answer 1

No you do not expose your Integrator Key, that if a private identifier for your API integration. It is not user specific, or account specific, it is INTEGRATION specific and helps DocuSign identify which requests are coming through which integrations.

The users of your integration simply need DocuSign credentials (i.e. email + password) to use the integration. Under the hood your integration should have been coded up to plug in the user's credentials combined with your private Integrator Key and that request will have proper authentication to go through.

Answer 2

When your IK got certified they should have provided you with some guidance about keeping your IK secret. You could either encrypt the IK in your systems DB for reference or embed it into your source code. You should never give your IK out to your clients/users.

From their FAQ:

Is it okay to give my integrator key to my customers or others?

No. DocuSign expects partners to take appropriate measures to protect their Integrator Key. This implies that you do not show your Integrator Key in the Application UI or store it at places that can be easily accessed by others.

One technique to protect your Integrator Key is to embed it within the application code. Some choose to encrypt and store it in a database while retrieving again at run-time.