Connecting Sage People to Docusign with JWT authentication

Understand how the Docusign integration works with Sage People using the JWT (JSON Web Token) authentication method.

How the integration works

The integration uses an authentication method known as JWT (JSON Web Token). This is a secure method that allows Salesforce to act as a Docusign user. It does this without storing or exchanging username and password credentials.

  • Docusign generates a private key/public key pair, of which the private key is secure in Sage People inside a certificate

  • When Sage People needs to send something to Docusign, Salesforce creates a signed token using the private key

  • Docusign verifies the token using the public key, and checks which Docusign User ID Salesforce is impersonating

  • The system performs all actions as that one Docusign user, regardless of who in Sage People initiates the process

This means:

  • It doesn't matter which Sage People user clicks the button to generate a Docusign envelope inside Sage People

  • It doesn't matter whether that Sage People user has their own personal Docusign license

  • The integration will always act as a single Docusign User, which is typically a service account

As long as that Docusign user remains active, the integration will function normally.

Choosing the Docusign user for the integration

Salesforce always impersonates one specific Docusign user. This means the integration depends on that user remaining active and licensed in Docusign. If that Docusign user becomes inactive, disabled, or deleted:

  • Docusign will reject authentication requests

  • All API calls from Sage People will fail

  • Sage People will still allow users to click buttons, but the Docusign step won't complete

To avoid this dependency on an individual employee, we recommend using a dedicated Docusign service account.

Why we recommend a service account

Using a real employee's Docusign account for an integration is technically possible, but it introduces operation risk. If that person...

  • Leaves the organization

  • Changes roles

  • Has their Docusign license removed

  • Or you disable their account for any reason

... the integration will stop working until you reconfigure it.

A service account avoids this entirely because:

  • It's not tied to an employee lifecycle

  • It provides a stable, long-term identity for the integration

  • It prevents unexpected outages caused by user deactivation

  • It keeps the configuration clean and easier to maintain

For these reasons, most organizations choose to run their Docusign integrations through a dedicated service account from the outset.