When do I need to provide a dummy token to interact with the sandbox?

I’m a bit confused by the following: if I start the sandbox without any authentication specified, and I run a JSON API service in front, I need to present a “dummy” token (ie. a well-formed one with secret secret) in my header in order to be able to interact with the JSON API. However, if I run a trigger host or DAML script I don’t need to provide such token. Is it the JSON API that enforces the presence of a token here, and the sandbox just ignores it? Or is there some implicit token generation happening in the trigger host or script runner?

The JSON API enforces the token since It uses it to infer the party. The ledger API never requires a dummy token so there is no implicit token generation going on in the trigger host or script runner. If you run DAML Script over the JSON API you also need a token.