DocuSign
Send envelopes, query agreements, and run Maestro workflows via DocuSign's Intelligent Agreement Management platform
DocuSign integration connects your agents to DocuSign's IAM platform — eSignature envelopes, Maestro workflows, Navigator agreements, and Data Verification — through DocuSign's official MCP server.
Server URL: https://mcp.docusign.com/mcp
Setup
- Register a DocuSign Integration Key (see Bring your own app below)
- Navigate to Resources and click Add Resource
- Select DocuSign from the catalog
- Paste your Client ID (Integration Key UUID) and Client Secret
- Click Add
Each user connects their own DocuSign account via OAuth when they first use a DocuSign tool. Navigate to Connections to manage linked accounts.
Credential modes
DocuSign is bring-your-own-app only — every customer registers their own Integration Key. DocuSign does not support OAuth Dynamic Client Registration, and Integration Keys are tied to a customer account, so a shared embedded credential isn't a viable option here. See Credential modes for how this compares to other catalog resources.
Bring your own app
A DocuSign account admin must register an Integration Key (DocuSign's term for an OAuth client) and promote it through DocuSign's Go-Live process before the gateway can use it. DocuSign doesn't allow apps to be created directly in production accounts — every app must be created in a developer account and then promoted.
In your AI Security workspace, go to Resources → Add Resource → DocuSign and copy the redirect URI shown in the dialog.
In your DocuSign developer account at admindemo.docusign.com, open Settings → Apps and Keys → Add App / Integration Key and configure:
- Authentication — enable the Authorization Code Grant flow and add a Secret Key, then copy it. This is your Client Secret.
- Redirect URIs — paste the redirect URI you copied from AI Security.
- Scopes — enable every scope listed under Required scopes below. DocuSign rejects the OAuth request if the integration isn't entitled to a requested scope.
Save the app, then copy the Integration Key UUID at the top — this is your Client ID.
Submit the app for Go-Live. From the app's settings, follow DocuSign's Go-Live promote process. DocuSign reviews and approves the app — typically several business days. Every customer must complete this step, including existing DocuSign customers with active subscriptions, because Integration Keys are app-specific and DocuSign approves them individually. Once approved, the same Integration Key becomes usable against your production DocuSign account. The gateway connects to DocuSign's production MCP server (mcp.docusign.com/mcp) — so the integration won't work against real DocuSign data until Go-Live is approved.
Back in your AI Security workspace, paste the Client ID and Client Secret into the DocuSign resource dialog, then click Add.
Available tools
| Tool | Description |
|---|---|
assessTemplatesForDV | Inspect templates and surface fields suitable for Data Verification |
cancelWorkflowInstance | Cancel a running Maestro workflow instance |
cloneDVEnabledTemplates | Clone templates and apply Data Verification field mappings |
createEnvelope | Create an envelope from a template or from documents at a remote URL |
discoverDVApps | Identify Data Verification apps compatible with given field types |
generateAccessToken | Interactive OAuth helper for creating Integration Keys and access tokens |
getAccount | Get account information for an eSign account |
getAgreementDetails | Get details for a specific Navigator agreement |
getAllAgreements | List Navigator agreements with filters and sort |
getBillingPlan | Get billing plan details by ID |
getBrand | Get a single brand by ID |
getBrands | List brands configured on the account |
getEnvelope | Get the status of a single envelope |
getEnvelopes | Search envelopes by date, ID, status, or sender/recipient |
getTabGroups | List tab groups configured via the Connected Fields API |
getTemplates | List templates with date, folder, and search filters |
getUser | Get a single eSign user by ID |
getUserInfo | Get the authenticated user's profile, accounts, and API base URIs |
getUsers | List eSign users on the account |
getWorkflowInstance | Get details for a specific Maestro workflow instance |
getWorkflowInstancesList | List instances of a Maestro workflow |
getWorkflowTriggerRequirements | Get trigger inputs required by a Maestro workflow |
getWorkflowsList | List available Maestro workflows |
installDVApps | Install Data Verification apps from a prior discovery step |
listBillingPlans | List billing plans associated with the distributor |
listRecipients | List recipients of an envelope and identify the current routing position |
pauseNewWorkflowInstances | Pause creation of new instances of a Maestro workflow |
planTemplateDataVerification | Generate a structured plan for enabling Data Verification on templates |
resumeWorkflow | Resume a paused Maestro workflow |
searchDocusignDocs | Search and reason over DocuSign Developer Center documentation |
suggestBestPractices | Analyze a DocuSign integration pattern and suggest upgrades |
triggerWorkflow | Trigger a new instance of a Maestro workflow |
updateEnvelope | Update an envelope: send, void, modify email, manage workflow steps |
Required scopes
signature— eSignature envelopes, templates, brands, recipients, and usersaow_manage— Maestro workflows (trigger, list, pause, resume, cancel)adm_store_unified_repo_read— Navigator agreement queriesagreement_object_model_read— full IAM agreement schema ingetAgreementDetailsmodels_read—searchDocusignDocsandsuggestBestPracticesAI toolsme_profile— authenticated user profile viagetUserInfoextended— keep refresh tokens valid beyond the default 30-day window
If your DocuSign account isn't entitled to all of these (for example, IAM features on a base plan), drop the unsupported scopes from the OAuth request — DocuSign rejects the entire authorization if any requested scope is unavailable. The corresponding tools will fail with a permission error at call time, but the rest of the surface keeps working.
Policy examples
- Allow read-only access: tool patterns
get*,list*,search*,assessTemplatesForDV,discoverDVApps,planTemplateDataVerification - Block envelope sending and modification: deny
createEnvelope,updateEnvelope - Block workflow control but allow inspection: allow
get*, denytriggerWorkflow,cancelWorkflowInstance,pauseNewWorkflowInstances,resumeWorkflow - Restrict admin tooling: deny
installDVApps,cloneDVEnabledTemplates,generateAccessToken