Auth in ledger api

David_Olagookun · October 16, 2025, 6:58pm

i have a ledger to deploy to stimulate prod, here’s. my auth.conf

canton.participants.app-provider {
  ledger-api {
    auth-services = [{
      type = jwt-jwks
      target-audience = audience-apis
      url = "http://localhost:8080/v1/auth/jwks"

    }]

    user-management-service.additional-admin-user-id = "user-id"
  }
}

Beacause we wanted to use a additional admin user so we can use the token to do admin stuff, i need clarity on this

But it seems that the auth doesn’t work when i run the sandbox with

daml sandbox --config auth.conf

Because anything goes really, and it doesn’t hold back.

as opposed to this

canton.participants.sandbox.ledger-api.auth-services = [{
    type = jwt-jwks
    url = "http://localhost:8080/v1/auth/jwks"

 # issuer = "my-auth-service-id" 

}]

Also some part of the doc says we should set the jwttoken like this

{
  "https://daml.com/ledger-api": {
    "ledgerId": "sandbox",
    "applicationId": "foobar",
    "actAs": ["Alice"]
  }
}

and yet i see this also

{
   "aud": "https://daml.com/jwt/aud/participant/someParticipantId",
   "sub": "someUserId",
   "iss": "someIdpId",
   "exp": 1300819380
}

which one is which.

Please also is the “sub”: “someUserId” the userID of the party?

Thanks

WallaceKelly · October 16, 2025, 9:04pm

Yes. The sub: field of the JWT is the Canton User (e.g., alice). It is not the Daml Party (e.g., alice::abcd12345....).

There are three formats. The Canton 2.x docs describe a “Custom Claims” format for JWT. That one is deprecated. The remaining to options are “Audience-based” and “Scope-based”. They are described here.

I’ll confess this is unfamiliar to me. Did you see that somewhere?

David_Olagookun · October 17, 2025, 12:22pm

Here is a link Here

although this just makes a reference to it, i can’t remember where i saw the the full setup like this, but i know i grabbed it from the docs


canton.participants.app-provider {
  ledger-api {
    auth-services = [{
      type = jwt-jwks
      target-audience = audience-apis
      url = "http://localhost:8080/v1/auth/jwks"

    }]

    user-management-service.additional-admin-user-id = "user-id"
  }
}

David_Olagookun · October 17, 2025, 12:24pm

So does that mean i can just do

{
“aud”: “https://daml.com/jwt/aud/participant/someParticipantId”,
“sub”: “someUserId”,
“iss”: “someIdpId”,
“exp”: 1300819380
}

and btw what’s the ParticipantID?

WallaceKelly · October 17, 2025, 3:19pm

Thank you for pointing me to this new feature! I had overlooked it. I have updated this sample to include an additional-admin-user-id.

Each participant will have its own participant id. See How to get the participant id when auth-services is configured?.

Topic		Replies	Views
JWT auth questions Questions daml , sdk	4	529	April 27, 2021
If a Canton Participant has no Auth configured, do I still need a JWT for the Ledger API? Questions ledger-api , jwt	2	370	May 25, 2022
Authorization in Canton Questions	13	613	July 10, 2022
Onboarding a new participant and using audience based JWT for user management Questions canton , jwt	1	265	July 27, 2023
Unable to display ledgerId Questions daml	3	389	February 9, 2022

Auth in ledger api

Related topics