Splice validator wallet onboarding hits TOO_MANY_USER_RIGHTS for backend ledger-api-user

App Development
1

Hi everyone,

We’re running a Splice validator deployment and are hitting a Canton user rights limit during wallet onboarding.

The validator has wallet enabled: canton.validator-apps.validator_backend.enable-wallet = true

Problem:

When a normal human user calls: POST /api/validator/v0/register
with a regular Auth0 user token, onboarding fails with:

TOO_MANY_USER_RIGHTS(...): grant user rights failed, as user
"fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients"
would have too many rights

We inspected the rights for that backend user and it currently has exactly 1000 rights.

What we confirmed from validator-app logs:

The incoming /register request is using a human user token. The validator decodes it correctly:

operation=register
Decoded token with subject = auth0|6a2e1fedc822b4846155b95c

It then allocates the human user party:

Allocated auth0_007c6a2e1fedc822b4846155b95c::...
for user auth0|6a2e1fedc822b4846155b95c

But immediately after that, validator-app tries to grant the backend M2M user the right to act as that human party:

Ensuring that Grant user rights for user
fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients
to act as
auth0_007c6a2e1fedc822b4846155b95c::...

Then the participant rejects the grant:

UserManagementService/GrantUserRights
FAILED_PRECONDITION/TOO_MANY_USER_RIGHTS:
grant user rights failed, as user
"fDFyHMYvx2VTJZ78PZY7Wlx2wGEBDl01@clients"
would have too many rights

We also see validator wallet/treasury automations running per end-user party, e.g.:

TreasuryService:validator=validator_backend/endUserParty=...
CollectRewardsAndMergeAmuletsTrigger-work
CO_MergeTransferInputs

So our current understanding is that validator-app grants:

CanActAs(endUserParty) to the backend service account for every onboarded wallet user, probably so backend wallet/treasury automations can submit commands as those parties.

Questions:

  1. Is this expected behavior for Splice validator 0.6.6?
  2. Should the validator backend Ledger API user accumulate one CanActAs(…) right for every wallet user party?
  3. Is there a config option or newer Splice version that avoids accumulating one CanActAs right per wallet user?
  4. What is the recommended setup to avoid hitting the 1000 user-right limit for validator wallet deployments?
    Thanks! We’re trying to understand whether this is expected validator wallet behavior, a configuration issue on our side, or something else
2

Add this to the compose.yaml configuration
ADDITIONAL_CONFIG MAX RIGHTS=canton.participants.participant.ledger-api.user-management-service.max-rights-per-user=1000/10000/1000000

3

Interesting finding. Is the long-term expectation to scale horizontally across backend identities, or should wallet automation eventually avoid requiring one CanActAs grant per end-user?

4

Check the documentation here for instructions for how to handle larger numbers of parties Network Scalability - Canton Network Docs.