Script running with authentication

Hi Team,
I am using the sample daml code with a script here:

setup : Script AssetId
setup = script do
-- user_setup_begin
  alice <- allocatePartyWithHint "Alice" (PartyIdHint "Alice")
  bob <- allocatePartyWithHint "Bob" (PartyIdHint "Bob")
  aliceId <- validateUserId "alice"
  bobId <- validateUserId "bob"
  createUser (User aliceId (Some alice)) [CanActAs alice]
  createUser (User bobId (Some bob)) [CanActAs bob]
-- user_setup_end

  aliceTV <- submit alice do
    createCmd Asset with
      issuer = alice
      owner = alice
      name = "TV"

  bobTV <- submit alice do
    exerciseCmd aliceTV Give with newOwner = bob

  submit bob do
    exerciseCmd bobTV Give with newOwner = alice

This script runs well in Sandbox without authentication.

Once we enable authentication with this

daml sandbox -c auth.conf

daml ledger upload-dar --access-toke-file adminjwt .daml/dist/seconddaml-0.0.1.dar>

When we run the script (adminjwt works fine in uploading the DAR)

daml script --dar .daml/dist/seconddaml-0.0.1.dar --script-name Main:setup --ledger-host localhost --ledger-port 6865 --acce
ss-token-file adminjwt

We get authentication problems

Exception in thread "main" com.daml.lf.engine.script.ScriptF$FailedCmd: Command submit failed: PERMISSION_DENIED: An error occurred. Please contact the operator and inquire about the request <no-correlation-id>

My observation is that the first part of script “user setup” works well with the adminjwt (with userid set participant_admin), but this token cannot be used when representing alice and bob, despite the fact that alice and bob as users are defined already in the ledger.

What is the best way in this case? Ideally we can use participant_admin to create users alice and bob, then we can use alice and bob to execute the remaining of the script.

Thanks in advance.



I would say that the best thing to do is to split the script in three, run the setup as an admin, output the party identifiers for the users and use those in two further scripts which can be run with a token for alice and bob respectively.

1 Like

Thanks @stefanobaghino-da I also thought of this. But by breaking the script into parts, there’s a challenge to link the right parties between the scripts. Can you share more ideas how this can be done?

Also if this can be highlighted in the documentation that will be better. There are a lot of scripts written in this way prior to v2.0. When moving to v2.0 we will have this challenge.

Many thanks again.


The documentation of Daml Script shows an example of having party identifiers as output of a script. The file at the path provided as part of --output-file will contain the relevant party identifiers. The file can be then fed to the other scripts using --input-file.

The initialization script already creates an alice and bob user, which can respectively act as the Alice and Bob party. So you’ll need to point to a file where the token with the appropriate fields are populated. You’ll need the user names in there, so you don’t need to bootstrap the process using party identifiers.


Thanks @stefanobaghino-da I will do a trial on this.

Thanks again and have a nice day.


1 Like