Discussions/App Development/Splice validator wallet onboarding hits TOO_MANY_USER_RIGHTS for backend ledger-api-userForum ↗

Splice validator wallet onboarding hits TOO_MANY_USER_RIGHTS for backend ledger-api-user

App Development1 posts1 viewsLast activity 4h ago
KR
krishnacoreOP
4h ago

Hi everyone,

We’re running a Splice validator deployment and are hitting a Canton user rights limit during wallet onboarding.

The validator has wallet enabled: canton.validator-apps.validator_backend.enable-wallet = true

Problem:

When a normal human user calls: POST /api/validator/v0/register
with a regular Auth0 user token, onboarding fails with:

TOO_MANY_USER_RIGHTS(...): grant user rights failed, as user
"fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients"
would have too many rights

We inspected the rights for that backend user and it currently has exactly 1000 rights.

What we confirmed from validator-app logs:

The incoming /register request is using a human user token. The validator decodes it correctly:

operation=register
Decoded token with subject = auth0|6a2e1fedc822b4846155b95c

It then allocates the human user party:

Allocated auth0_007c6a2e1fedc822b4846155b95c::...
for user auth0|6a2e1fedc822b4846155b95c

But immediately after that, validator-app tries to grant the backend M2M user the right to act as that human party:

Ensuring that Grant user rights for user
fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients
to act as
auth0_007c6a2e1fedc822b4846155b95c::...

Then the participant rejects the grant:

UserManagementService/GrantUserRights
FAILED_PRECONDITION/TOO_MANY_USER_RIGHTS:
grant user rights failed, as user
"fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients"
would have too many rights

We also see validator wallet/treasury automations running per end-user party, e.g.:

TreasuryService:validator=validator_backend/endUserParty=...
CollectRewardsAndMergeAmuletsTrigger-work
CO_MergeTransferInputs

So our current understanding is that validator-app grants:

CanActAs(endUserParty) to the backend service account for every onboarded wallet user, probably so backend wallet/treasury automations can submit commands as those parties.

Questions:

  1. Is this expected behavior for Splice validator 0.6.6?
  2. Should the validator backend Ledger API user accumulate one CanActAs(…) right for every wallet user party?
  3. Is there a config option or newer Splice version that avoids accumulating one CanActAs right per wallet user?
  4. What is the recommended setup to avoid hitting the 1000 user-right limit for validator wallet deployments?
    Thanks! We’re trying to understand whether this is expected validator wallet behavior, a configuration issue on our side, or something else
← Back to Discussions