App Passwords: More secure SOAP authentication using your existing code

As followers of the Docusign Developer Blog might already know, our old legacy username/password authentication flow is being deprecated and will be unavailable for use after September 2022. For REST apps, this means switching to use an OAuth2 grant. For SOAP apps, this means switching to our new authentication flow: App Password. 

In App Password authentication, your users create App Passwords, linked to their profiles, that they can use in place of their account password when going through auth to obtain access tokens. Any attempt to use an App Password to do something other than get an access token for an integration or make SOBO calls (such as attempting to log into their Docusign account via the website UI) will fail. This ensures that, even if an App Password is somehow compromised, the user’s account and data are still secure.

We know that a lot of developers use legacy authentication, and not all of them can easily spare the time and resources to refactor the authentication code for their apps. Fortunately, you should be able to use the same legacy authentication code that’s already in your app to perform App Password auth! Both authentication flows use exactly the same steps and syntax; just pass in the user’s App Password rather than their account password and you should still get an access token.

This means that you can switch to use a more secure way of authenticating users and stay in compliance with upcoming Docusign go-live and API call requirements without having to update any of your code! 

You can read more about the advantages of App Passwords, see how to generate them, and find best practices on the Dev Center.

Additional resources


Cameron Loewen
Cameron Loewen
Senior API Technical Writer