docusignapi - HMAC webhook validation, from envelope callback

Question

I read through the instructions here, which works if you're using Connect at the "account level" (i.e. all envelopes get sent through one account).

Our use case involves requiring a customer to log into DocuSign using their own account, so I'm now setting a callback on the envelope. When I receive the callback in this scenario, the HMAC signature headers aren't sent (X-DocuSign-Signature-1, X-DocuSign-Signature-2, etc.).

Has anyone experienced this? I'm in ruby/rails, using the docusign_esign gem, version 2.0.0.

I see an include_hmac parameter in DocuSign_eSign::ConnectCustomConfiguration, but it's not clear to me if you can use a custom configuration with an envelope-level callback.

Any help is appreciated.

question from:https://stackoverflow.com/questions/65852366/hmac-webhook-validation-from-envelope-callback

Answer 1

The eventNotification object now includes an attribute includeHMAC.

If HMAC is set up at the account level, and includeHMAC is set to "true" then the HMAC headers will be included for per-envelope webhooks.

Unfortunately, the API call for setting up HMAC at the account level is not currently available. So customers need to have account-wide Connect to set the HMAC secret.

HMAC secrets are added and managed via the Connect Keys button in the Connect section of the eSignature Admin app: