[nowarninglabel]

The author seems to have buried the lead here: "Someone on the team noticed that if you refresh the page, you get logged in as the user that was making the API request"

And that is how the implementation works for many of Docusign's customers as a 'feature'. If that's true, that would seem like a potentially exploitable security hole. However, I'd have to question if that had something to do with the particular implementation, otherwise I'd expect more focus on the security repercussions.

[EpicEng]

From what I can tell, the issue is that the OP was using a single user to perform all calls. They didn't want to sign users up individually, so they took this workaround route and found out that it wouldn't work after all. TLDR; they weren't using the API as intended because they wanted the DS part of the UX to be transparent to the user.