If a Canton Participant has no Auth configured, do I still need a JWT for the Ledger API?

Assuming that I have a non-sandbox deployment of the canton participant node.
No auth is set up.

Do I need to provide a JWT when submitting commands to the Ledger API or connecting to a stream?

My original understanding is that you always need a JWT when you interact with the JSON API, but with the Ledger API, you’d only need one if auth is configured.

However, this section in the documentation made me uncertain:
https://docs.daml.com/app-dev/authorization.html

This is not the case for participant nodes of deployed ledgers. They check for every Ledger API request whether the request contains an access token that is valid and sufficient to authorize the request. You thus need to add support for authorization using an access token to your application to run it against a deployed ledger.

So, do you need a JWT, or is the participant inferring who you need to be to successfully send the command and assume that this is your identity?

Also if you DO provide a JWT without auth being configured, is the JWT considered at all, or is the signature just not being verified?

1 Like

You don’t need a JWT if you’re running without auth and if you do provide one it is just ignored. That said, I strongly recommend to run with auth from the beginning (just use a shared secret during development). That way you see very early what issues you might run into once you inevitably have to turn on auth as you move to production.

Thank you, and yes agreed regarding using on from the get go even if it’s using HMAC.