JWT auth questions

Hi everyone,

Any pointers on how to make use of participantID , ledgerID , and applicationID in JWT authentication? The docs say these “restrict the validity of the token to the given ledger, participant, or application”)

I’m looking for the other half of the story. Ledger ID seems to come from the “Ledger Identification Service” - how’s that configured? Application ID I can’t find how to set, and Participant ID is something to do with the Party Management Service but again I’m having trouble finding an example of how you might set one.


1 Like

You can take a look at the ex-secure-daml-infra reference app. We set ApplicationID in that set of examples. The Ledger APi will enforce to make sure that the JWT token values in the custom claim match the values set in the command (i.e. a submitted command must use the same Application ID as that defined in the authorization token). The specific values would be set in the Identity Manager used to create the JWT tokens.

Similarly Ledger ID can be allowed to get set to random value on startup or you can set as a parameter when you bring up a Ledger initially.

  1. Ledger ID configuration depends on the specific ledger. For Daml on SQL, there is a --ledgerid CLI parameter to set this.
  2. Application id is set on command submission by the user.
  3. Participant id is another parameter that depends on the specific ledger. On Sandbox, this is always sandbox-participant and not configurable.

Ok thanks, so with Participant ID, this is under the control of whatever party management service is in use by the particular ledger driver? Or is it the participant identifier, not Daml Party?

1 Like

It’s a participant identifier not a Daml Party. The party management service allows you to figure out the participant id of the participant you are connecting to but it’s not a party itself (and arguably it could just as well be a separate service that provides this).

In a single participant setting, this is not a very useful identifier but in a multi-participant setting it can be used to distinguish logical participant.