Discussions/App Development/Auth in ledger apiForum ↗

Auth in ledger api

App Development5 posts76 viewsLast activity Oct 2025
DA
David_OlagookunOP
Oct 2025

i have a ledger to deploy to stimulate prod, here’s. my auth.conf

canton.participants.app-provider {
  ledger-api {
    auth-services = [{
      type = jwt-jwks
      target-audience = audience-apis
      url = "http://localhost:8080/v1/auth/jwks"

    }]

    user-management-service.additional-admin-user-id = "user-id"
  }
}

Beacause we wanted to use a additional admin user so we can use the token to do admin stuff, i need clarity on this

But it seems that the auth doesn’t work when i run the sandbox with

daml sandbox --config auth.conf

Because anything goes really, and it doesn’t hold back.

as opposed to this

canton.participants.sandbox.ledger-api.auth-services = [{
    type = jwt-jwks
    url = "http://localhost:8080/v1/auth/jwks"

 # issuer = "my-auth-service-id" 

}]

Also some part of the doc says we should set the jwttoken like this

{
  "https://daml.com/ledger-api": {
    "ledgerId": "sandbox",
    "applicationId": "foobar",
    "actAs": ["Alice"]
  }
}

and yet i see this also

{
   "aud": "https://daml.com/jwt/aud/participant/someParticipantId",
   "sub": "someUserId",
   "iss": "someIdpId",
   "exp": 1300819380
}

which one is which.

Please also is the “sub”: “someUserId” the userID of the party?

Thanks

WA
WallaceKelly
Oct 2025
David_Olagookun:

Please also is the “sub”: “someUserId” the userID of the party?

Yes. The sub: field of the JWT is the Canton User (e.g., alice). It is not the Daml Party (e.g., alice::abcd12345....).

David_Olagookun:

Also some part of the doc says we should set the jwttoken like this

and yet i see this also

There are three formats. The Canton 2.x docs describe a “Custom Claims” format for JWT. That one is deprecated. The remaining to options are “Audience-based” and “Scope-based”. They are described here.

David_Olagookun:

user-management-service.additional-admin-user-id = "user-id"

I’ll confess this is unfamiliar to me. Did you see that somewhere?

DA
David_Olagookun
Oct 2025
WallaceKelly:

here

Here is a link Here

Screenshot 2025-10-17 at 1.19.55 PM
Screenshot 2025-10-17 at 1.19.55 PM1023×251 16.4 KB

although this just makes a reference to it, i can’t remember where i saw the the full setup like this, but i know i grabbed it from the docs


canton.participants.app-provider {
  ledger-api {
    auth-services = [{
      type = jwt-jwks
      target-audience = audience-apis
      url = "http://localhost:8080/v1/auth/jwks"

    }]

    user-management-service.additional-admin-user-id = "user-id"
  }
}
DA
David_Olagookun
Oct 2025
WallaceKelly:

There are three formats. The Canton 2.x docs describe a “Custom Claims” format for JWT. That one is deprecated. The remaining to options are “Audience-based” and “Scope-based”. They are described here.

So does that mean i can just do

{
“aud”: “https://daml.com/jwt/aud/participant/someParticipantId”,
“sub”: “someUserId”,
“iss”: “someIdpId”,
“exp”: 1300819380
}

and btw what’s the ParticipantID?

WA
WallaceKelly
Oct 2025
David_Olagookun:

user-management-service.additional-admin-user-id

Thank you for pointing me to this new feature! I had overlooked it. I have updated this sample to include an additional-admin-user-id.

David_Olagookun:

and btw what’s the ParticipantID?

Each participant will have its own participant id. See How to get the participant id when auth-services is configured?.

← Back to Discussions