The ledger identity service only requires public claims so it needs a valid token but no specific
admin claims. The time service requires public claims for
admin claims for
SetTime. Note that the time service is only available in static time mode on sandbox and is intended for testing not for production ledgers so you usually use it without authentication.
You can find a table with all ledger API endpoints and the required claims at https://docs.daml.com/app-dev/authorization.html#access-tokens-and-claims.
As for your question about the
admin token, I think it helps to take a look at what you can do with such a token:
- Interact with the time service. As mentioned above, this is only intended for testing. I’m not aware of a distributed ledger that actually supports this.
- Interact with the reset service. Again only intended for testing, I don’t know a distributed ledger that supports this.
- Allocate parties. This is a production feature but you allocate the party on the given participant so it’s in some sense “local” and if the participant prefixes all party ids by an identifier for the participant you don’t have to worry about collisions across participants.
- Upload packages. This is a production feature and those packages are distributed to other participants. However, it is fairly harmless because packages are content-addressed and you cannot delete them.
So an admin token allows you to allocate new parties and upload packages but both of those are purely additive.