Error while requesting an access token: {"error":"consent_required"}

[gvasas13]

I'm in the process of going live and I can't shake this error no matter what I try.

I've gone through the JWT procedures and I believe I've done them all. https://www.docusign.com/blog/dsdev-using-the-oauth-jwt-flow/

I keep seeing things mentioning going into the Organization security policies but my account doesn't have that.

We had this code working perfect in Dev so I don't think the issue is my code.

I put in two tickets over the last two days and your support just deletes them with 0 comments as to why and its pretty infuriating.

I've had great success asking this forum for help in the past so here I am again.

Is there some simple check box or a thing I need to turn on to get past this?

I've been spinning my wheels getting nowhere with this.

Let me know if you want to see any code

Thanks for the help guys!

[LarryKlugerDS]

Hi,

I'm sorry you're having this problem.

If you are receiving the error consent required then the problem is that the User guid that you've supplied has not granted consent.

Two ways to fix:

1. If your account has the Organization Administration feature and you have captured your email domain for your account, then you can use the Organization Administration feature to grant Blanket Consent, also known as Administrative Consent to your client id (integration key).

2. You can have the user, whose guid you're using, grant individual consent. You do this by having the user go through the first steps for the authorization code grant flow. For an example of this, see the special handling for the consent required error in the JWT example. See lines 51-63 of this file.

   You will need to set a redirect URL for the client id to enable the first steps of the Authorization Code Grant flow. You do not need to add a secret key to the client id nor use the authorization code.

[gvasas13]

Thanks for the reply Larry,

I'd much rather have the blanket Consent route work as it seems like the simpler approach. Is having the Organization Administration an additional charge? I'm having a horrible experience with the support department still. They sent me an email saying I need to reply to the open ticket this morning but that tickets been deleted to the best of my knowledge. Since you and megis have been he only two people in your company to reply to anything I've sent. Is there any way I could get this feature turned on through you?

[LarryKlugerDS]

Hi @gvasas13,
Yes, Organization Admin is an extra feature (at extra cost) that not all production accounts have. You can have it added to your developer sandbox at no charge if you'd like to try it out. Send an email to go-live@docusign.com and include your AccountId.

[LarryKlugerDS]

I'm closing this issue out.
Please re-open this issue as needed.
Thanks,
Larry

[hkarir0612]

Hi Larry,
I am too encountering same "consent_require" error while generating JWT access code. I have done all the steps mentioned in the JWT document for user consent. I am not sure what additional steps are required to generate the access token.
Please help me understanding the root cause as we will be going live in a week

[LarryKlugerDS]

Hi @harsharahul ,

If you (and the users of your API integration) have organization administration enabled, with an email domain captured, then you can use Administrative Consent (also called Blanket Consent) to proactively grant consent to an IK (a client id) to impersonate anyone in your account.

But many accounts do not have organization administration, or they have not captured an email domain.

In these cases, each person who will be impersonated by a JWT Grant must give individual consent to the IK.

See the Individual Consent section of the consent docs.

Here are the specific steps:

1. With Individual Consent, the DocuSign user must open a URL on their browser. The URL will enable the person to login to DocuSign, grant consent to your integration key, and then your user will be redirected to a URL.

2. Choose the URL where the user should be re-directed to after they grant consent. The URL could be to a page that says "Thank you for granting consent." Or the URL could be the home page of your application, or the home page of your organization. It does not matter. But you must pick a URL, including https:// or http:// We will refer to this URL as the Redirect URL

3. Using the DocuSign Admin Tool, open the API and Keys section. Open your Integration Key's details.

4. Add the Redirect URL as a Redirect URI on the form. See the screenshot:

   

5. Create the URL that will be used by the DocuSign user to grant individual consent. The URL has the following format for the Developer Sandbox system:

   https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=YOUR_INTEGRATOR_KEY&redirect_uri=YOUR_REDIRECT_URI

6. Have the DocuSign user who will be impersonated open the above URL in their browser.

   If your integration is using an "integration account" such as hr@company_name.com, then you must open the URL in a browser and login to DocuSign as the "user" hr@company_name.com to grant consent.