Required JWT authorization for filters_by_party of active contracts?

WallaceKelly · January 23, 2026, 3:26pm

For this situation…

admin is stakeholder on all contracts
clientA is stakeholder on some contracts

… if I call the gRPC GetActiveContracts method (or the state/active-contracts JSON endpoint) with the following…

A JWT authorizing canReadAs(admin)
A filters_by_party for clientA

Question: Will the query result include the contracts on which clientA is a stakeholder, since admin has “visibility” to all the contracts?

WallaceKelly · January 23, 2026, 3:26pm

No, that call will fail with an auth error.

To filter for clientA contracts, the caller must have authorization to canReadAs(clientA) (which is also implied by canActAs(clientA) and canReadAsAnyParty).

See here:

Topic		Replies	Views
CanReadAsAnyParty, WildcardFilter, and "Claims do not authorize to read data as any party (super-reader wildcard)" Questions	2	110	January 25, 2026
JSON-API Get v1/query does not return all contract Questions	3	465	July 10, 2020
List Contracts for a Provider Canton Network ledger-api	7	201	June 23, 2025
Java gRPC - Get Contract By ContractId Questions	4	211	June 27, 2022
In Canton 3.x, how do I use the admin console to list contracts visible to a given user? Questions canton	2	87	February 11, 2025

Required JWT authorization for filters_by_party of active contracts?

Related topics