You are reading the documentation for an outdated Corteza release. 2023.9 is the latest stable Corteza release.

Corteza Extensions

About Extensions

Extensions provide a way of extending the core Corteza system by implementing additional features and business logic of any complexity. This section covers the extensions developed and maintained by the core team. For the development, please refer to [extdev-index].



DocuSign is a service that allows our clients to sign documents, such as quotes and contracts online.

The extension implements 3 main components:

The data model

the data model required by the extension in order for it to work,


DocuSign’s OAuth2 authentication flow to authorize Corteza to access resources connected to your account,

Document signature

A set of automation scripts that allow us to send the document into signing, cancel the pending document and check for the signature status.

DocuSign is fairly strict in the terms of when your credentials can be used in production.

@todo add constraints

Required token scopes


This scope allows the token to perform most document related operations, such as sending the document to be signed, canceling the document, …​


This scope allows us to request new refresh tokens with a full lifetime of ~30days.


To get this extension up and running, the following conditions must be met:

Configuring a sink route

DocuSign works with OAuth protocol, and this requires us to define a callback endpoint.

Define a sink signature with --method GET and --signature-in-path as the parameters.

Take note of the generated signature. We will refer to it as $SS in the following sub sections.

Obtained credentials

  1. Under administration or demo administration, in the case of testing credentials, add a new application,

  2. specify a descriptive name,

  3. under "Authentication", select "Authorization Code Grant",

  4. under "Authentication", select "+ ADD SECRET KEY" — take note of the value; we will need it later and it will not be visible later on,

  5. under "Additional settings" > "Redirect URIs", select "+ ADD URI". Enter the URI in the form of {{$BASE_URL}}/system/sink/ext_oauth/callback/__sign={{$SS}} (see below example),

  6. optionally include link to Privacy Policy and Terms of Use in the following two boxes.

An example redirect URL:

Configured Corteza Low Code Data Model

For now, this must be performed manually. This will change in the near future.

Following the .yaml files provided in the extension, create:

  • required modules,

  • required pages,

  • configure automation blocks.

Configured Corteza Low Code

Lastly, we use the parts obtained in the previous step to configure our extension.

Create a single record in the ext_docusign_configuration module, and populate the following:

In Production?

The field determines if this credentials are used in production. It’s important to note, that your implementation must be approved by DocuSign,

Redirect URL

The field determines the same redirect URL that was used in the above Obtained credentials section. The URL’s must match,


Under administration or demo administration, in the case of testing credentials, take note of the "Account’s Base URI" value,

Account ID

Under administration or demo administration, in the case of testing credentials, take note of the "API Account ID" value,

Integration Key

Under administration or demo administration, in the case of testing credentials, select the application you wish to use, and take note of the "Integration Key" value,

Integration Secret

Insert the "secret key" value, that was generated in the above Obtained credentials section.

Obtaining Tokens

To obtain an access and a refresh token, you must complete the OAuth flow. Simply invoke the /client-scripts/compose/docusign/RequestConsent.js:default automation script with the help of a button, and the system takes care of the rest.

Access token expires after 8h, and will be refreshed every 6h in order to assure no downtime.

Refresh tokens expire after approximately 30days, but this can change at any time. When the refresh token expires, you are required to repeat the OAuth flow.