i've followed all the instructions at the doc for generate JWT Token, but only receive "Bad Request" as response...

when i try to run eg-01-php-jwt the same occurs. i'm using DocuSign demo environment and simulating requests using Postman and curl

the steps i'm doing are:

1. generating authorization uri as https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=c0c3e3b4-87ec-46e6-afad-9f8cf9dda84c&redirect_uri=http://example.com/api/docusign/obtain-consent/callback
2. fill login and password for different docusign sandbox account
3. at the redirected uri i get the code parameter and decode at jwt.io, getting kid value from header
4. use kid value at sub to generate a new jwt token
5. sign jwt token with my private key
6. try to obtain access token and receive "Bad Request" as response message

my (updated) generated token is

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJjMGMzZTNiNC04N2VjLTQ2ZTYtYWZhZC05ZjhjZjlkZGE4NGMiLCJzdWIiOiI2ODE4NWZmMS00ZTUxLTRjZTktYWYxYy02ODk4MTIyMDMzMTciLCJpYXQiOjE1NTExMDA0MDksImV4cCI6MTU1MjEwMDQwOSwiYXVkIjoiYWNjb3VudC1kLmRvY3VzaWduLmNvbSIsInNjb3BlIjoic2lnbmF0dXJlIGltcGVyc29uYXRpb24ifQ.I1LhY77Rd0-op6UE3zUQvA5UxXIBzHUMyhhrwSN_TBv9ghiNAOr2aVz8Glf16bulkqSrE6A67h3DvL_VDm5NpNzcDQttjlf-CtlnBrjyt2w1niZkYnlmrUXW3SofDJkNHEj9-zQOa2XBrzTOLIhD6g2V0adBe45mwwGpMpOu0oPameUseDVEBeQ50mCZcyiMGYazEA0qeE9Ws9Rb7GxZxmOIZXaWirohmJhNfic5wHprJvA6tTwxai5-4xAwnhrjpsOWKoQRxXRkCKKcIIrKf8SEz4KOH2RCUBqMZRGys81CIDtowtLoDUeMCRKTaxnbrCFax4blJSZ8X3ptyneVpw

UPDATE @ 2019-02-26:

to achieve what i want i needed to complete the authorization code flow, get the user account id from step 4 (retrieve user data) and finally generate the jwt token with that info as sub at payload!

That assertion previously only included the signature scope. JWT Authentication requires signature impersonation.

Now that that has been updated, there are a couple of other possible issues:

• Invalid user ID. The JWT assertion requires an active User ID in the sub field. If the user is closed or the ID is incorrect this will fail.

• Invalid signature. The JWT assertion must be signed with an RSA private key associated with the iss / Client ID in use. If there are any invalid/encoding characters or trailing spaces, the signature may not be valid.

I'd recommend opening a case with DocuSign Support. On your side, you'll only receive the error invalid_grant. Support-side logging will have a more specific error. To assist with resolution, when opening a case please provide the following:

• Integrator key
• Demo account ID
• JWT Assertion
• x-DocuSign-TraceToken header value