Your Party ID key is the co-signer key for DvP settlement — analogous to a multisig key, but with DAML choice-level granularity. Protect it with the same controls you apply to any key that authorizes asset movements.
Your Signing Authority
- Co-signature on quote acceptance — no assets move without your approval
- Settlement approval — you are one of four required signatories on the atomic DvP
- Veto power — you can reject order proposals or refuse to co-sign quotes
Unlike EVM multisig where any N-of-M signers are interchangeable, your Canton Party ID is a named role. The settlement protocol requires specifically your signature — it cannot be substituted by another custodian or any other party.
Canton Privacy vs Public Chain Transparency
If you’re used to EVM or Bitcoin, where every transaction is publicly visible, Canton’s privacy model is fundamentally different:
| Public Chains (EVM/Bitcoin) | Canton (Musubi) |
|---|
| Transaction visibility | Everyone sees everything (Etherscan, block explorers) | Only parties to a contract see it |
| Balance visibility | Anyone can query any address’s balance | Only you see your holdings |
| Trade history | Fully public, linkable, analyzable | Private — other participants cannot see your activity |
| Counterparty discovery | Addresses are pseudonymous but linkable | Party IDs are visible only to authorized counterparties |
| Network-wide state | Full global state accessible to all | No global state — each node stores only its own contracts |
This means you cannot independently verify other participants’ balances or transaction history by scanning a public ledger. Trust in counterparty solvency comes from the atomic DvP guarantee (both legs or neither), not from on-chain transparency.
Authentication
| Property | Value |
|---|
| Token type | JWT (JSON Web Token) |
| Key claims | canton_party_id (your identity), role: "custodian" |
| Lifetime | 3600 seconds (1 hour) default |
| Obtain via | POST /auth/token on your backend |
Data Isolation
Your backend and database run in your infrastructure:
No other participant can access your backend or database. All cross-party communication flows through the settlement network protocol.
What You See
Sender Custodian
Receiver Custodian
| Data | Visible |
|---|
| Order details for assets you custody | Full visibility |
| All competing MM quotes | Full visibility |
| Your client’s identity and compliance refs | Full visibility |
| Receiver institution and their custodian | Visible |
| Market maker identity (on accepted quotes) | Visible |
| Settlement confirmation and proof | Full visibility |
| Other custodians’ orders | Not visible |
| Orders you’re not party to | Not visible |
| Data | Visible |
|---|
| Settlement confirmation for inbound deposits | Full visibility |
| Order details (after settlement) | Visible |
| Sender institution and their custodian | Visible |
| Market maker identity | Visible |
| Quoting phase details (rates, competing quotes) | Not visible |
| Other custodians’ orders | Not visible |
What You Control
| Component | Controlled By |
|---|
| Your backend instance | You |
| Your database | You |
| Your signing keys | You |
| JWT issuance (production) | Your IdP |
| Whitelist configuration | You |
| Network access policies | You |
