Hi @iko! DAML was designed to be blockchain agnostic. That means that the same DAML code can be deployed to several different ledgers (aka blockchains). For this, DAML abstracts the concept of signatories and leaves it to the underlying ledger to implement cryptographic primitives for signatures. In particular, the location of private keys in the system depends on the ledger you choose to deploy your DAML code on. Also, this underlying ledger will define what exactly a node is and what its capabilities and trust assumptions are. This could be a fully centralized architecture, say a central Postgres database server, or something fully decentralized more like Sawtooth.
The HTTP JSON API provides a simple ledger API that tries to capture most needs of typical applications. The JWT authorizes to read/act as a user by means of a token, but the provider of that token is again to your choosing. You could for example use an external provider like auth0.com, but you can just as well run your own provider somewhere in the system. Again, you’re very free to choose the security architecture that you like and trust. For example, you could just skip the HTTP JSON API altogether and run directly against the underlying ledger API.
I hope this answers your question!
3 Likes