> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set up a Docusign connector > C1 provides identity governance for Docusign. Integrate your Docusign instance with C1 to run user access reviews (UARs) and enable just-in-time access requests. **This is an updated and improved version of the Docusign connector!** If you're setting up Docusign with C1 for the first time, you're in the right place. ## Capabilities | Resource | Sync | Provision | | :------------------ | :-------------------------------------------------------------- | :------------------------------------------------------------ | | Accounts | | | | Groups | \* | | | Signing groups | | | | Permission profiles | | | The Docusign connector supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning). Every Docusign account must be assigned at least one permission profile. If all other permission profiles are revoked, the account will be automatically assigned the **DocuSign Viewer** profile, which cannot be revoked. \*By default, signing groups are not synced. You can configure the connector to sync signing groups, if desired. ## Gather Docusign credentials Configuring the connector requires you to pass in credentials generated in Docusign. Gather these credentials before you move on. The Docusign credentials requirements depend on your chosen hosting method and authentication mode: * **Cloud-hosted (production)**: You'll use C1's managed OAuth app. No additional credentials are needed. You can **skip this section** and go straight to the cloud-hosted setup instructions below. * **Cloud-hosted (demo environment)** or **Self-hosted**: You'll need to create a Docusign developer app. Go on to the next section. ### Create a Docusign app A user with access to the **Docusign Admin console** must perform this task. In the Docusign Admin Console, click **Add App and Integration Key**. Choose a name for your app, such as "C1" and click **Create App**. On the app configuration screen, carefully copy and save the **Client ID** (also called an integration key). Click **Add Secret Key**, then carefully copy and save the client secret. In the **Redirect URI** field, enter any URI of your choice (such as [http://example.com/callback](http://example.com/callback)) and click **Add**. Under **Authentication**, enable **Authorization Code Grant**. Click **Save** at the bottom of the page. #### Generate an OAuth refresh token Follow the [Docusign instructions to generate a refresh token](https://developers.docusign.com/platform/auth/confidential-authcode-get-token#use-refresh-tokens). **Done.** Next, move on to the connector configuration instructions. ## Configure the Docusign connector To complete this task, you'll need the **Connector Administrator** or **Super Administrator** role in C1 and the relevant set of permissions on your Docusign account: * To sync access data (READ): Read users, groups, and permissions. * To sync access data and provision accounts (READ/WRITE): Create users plus read users, groups, and permissions. **Follow these instructions to use a built-in, no-code connector hosted by C1.** In C1, navigate to **Integrations** > **Connectors** and click **Add connector**. Search for **Docusign v2** and click **Add**. Choose how to set up the new Docusign connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. Find the **Settings** area of the page and click **Edit**. Choose your **authentication method**: * **OAuth Authentication** (default) — connects to DocuSign's production environment using C1's managed OAuth app. No additional credentials required. * **Custom App (Demo Environment)** — connects to DocuSign's demo environment (`account-d.docusign.com`) using your own DocuSign developer app. See [Create a Docusign app](#create-a-docusign-app) above to obtain your credentials. **If you selected Custom App (Demo Environment):** Enter the **Client ID** and **Client Secret** from your DocuSign developer app. **Optional.** Click to **Sync signing groups**, if desired. **Optional.** If your organization has multiple DocuSign accounts under the same tenant, enter the **API Account ID** (UUID) of the account you want to sync. Leave blank to use your default account. To sync multiple accounts, create a separate connector for each one. Do not change the **API Account ID** to a different account on a connector that is already syncing. Doing so will cause all previously synced resources to be treated as deleted and all sync history will be lost. If you need to sync a different account, create a new connector instead. Click **Login with OAuth**. Log in and authorize C1 with your Docusign instance. After authorizing, you'll be redirected back to the C1 integrations page, where an "Authorized as" message is now printed. Click **Save**. The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing. **Done.** Your Docusign connector is now pulling access data into C1. **Follow these instructions to use the Docusign connector, hosted and run in your own environment.** When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests. ### Resources * [Official download center](https://dist.conductorone.com/ConductorOne/baton-docusign): For stable binaries (Windows/Linux/macOS) and container images. * [GitHub repository](https://github.com/conductorone/baton-docusign): Access the source code, report issues, or contribute to the project. ### Step 1: Set up a new Docusign connector In C1, navigate to **Integrations** > **Connectors** > **Add connector**. Search for **Baton** and click **Add**. Choose how to set up the new Docusign connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. In the **Settings** area of the page, click **Edit**. Click **Rotate** to generate a new Client ID and Secret. Carefully copy and save these credentials. We'll use them in Step 2. ### Step 2: Create Kubernetes configuration files Create two Kubernetes manifest files for your Docusign connector deployment: #### Secrets configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-docusign-secrets.yaml apiVersion: v1 kind: Secret metadata: name: baton-docusign-secrets type: Opaque stringData: # C1 credentials BATON_CLIENT_ID: BATON_CLIENT_SECRET: # Docusign credentials BATON_DOCUSIGN_CLIENT_ID: BATON_DOCUSIGN_CLIENT_SECRET: BATON_REDIRECT_URI: BATON_REFRESH_TOKEN: # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true # Optional: include if you want C1 to sync signing groups BATON_INCLUDE_SIGNING_GROUPS: true # Optional: set to true to connect to the DocuSign demo/UAT environment (account-d.docusign.com) # When omitted or false, the connector targets DocuSign production (account.docusign.com) # Note: demo mode is automatically enabled when BATON_DOCUSIGN_CLIENT_ID is set. BATON_DEMO: true # Optional: API Account ID (UUID) of the DocuSign account to sync. # Leave blank to use your default account. # Required only if your organization has multiple DocuSign accounts. # Find it in DocuSign Admin → Apps and Keys → My Account Information → API Account ID. # WARNING: do not change this value on an existing connector — create a new connector instead. BATON_ACCOUNT_ID: ``` See the connector's README or run `--help` to see all available configuration flags and environment variables. #### Deployment configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-docusign.yaml apiVersion: apps/v1 kind: Deployment metadata: name: baton-docusign labels: app: baton-docusign spec: selector: matchLabels: app: baton-docusign template: metadata: labels: app: baton-docusign baton: true baton-app: docusign spec: containers: - name: baton-docusign image: ghcr.io/conductorone/baton-docusign:latest imagePullPolicy: IfNotPresent env: - name: BATON_HOST_ID value: baton-docusign envFrom: - secretRef: name: baton-docusign-secrets ``` ### Step 3: Deploy the connector Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files. Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Docusign connector to. Docusign data should be found on the **Entitlements** and **Accounts** tabs. **Done.** Your Docusign connector is now pulling access data into C1.