DocuSign API Key
Service Name: DocuSign
Service Description: DocuSign is a leading electronic signature and digital transaction management platform that enables users to send, sign, and manage documents electronically in a secure environment.
Service Address: https://www.docusign.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the account level through DocuSign Admin settings.
Secret Access Scope: Grants programmatic access to DocuSign APIs, allowing applications to create, send, and manage electronic signature workflows and documents.
Secret Revokement URL: https://developers.docusign.com/platform/auth/keys-and-apps/
Secret Example: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
Suspicious Activity Investigation Instructions:
- Review DocuSign account activity logs for unusual document sending or signing patterns.
- Check for unauthorized API integrations or applications connected to your DocuSign account.
- Monitor for unexpected changes in account settings or user permissions.
- Examine API usage metrics for abnormal request volumes or patterns.
- Verify if documents were created, sent, or accessed from unusual locations or devices.
Mitigation Instructions:
- Log in to your DocuSign Admin console.
- Navigate to API and Keys section under Integrations.
- Locate the compromised API key and select Revoke or Delete.
- Generate a new API key if needed for legitimate applications.
- Update any authorized applications with the new API key.
- Review and update IP restrictions for API access if available.
- Consider implementing additional security measures such as OAuth 2.0 for application integrations.
- Audit user access and permissions to ensure only authorized personnel can create API keys.