Domain Architecture and Integrations

Recall the high-level topology with Canton domains being backed by different technologies, such as a relational database as well as block-chains like Hyperledger Fabric or Ethereum.


In this chapter we define the requirements specific to a Canton domain, explain the generic domain architecture, as well as the concrete integrations for Canton domains.

Domain-specific Requirements

The high-level requirements define requirements for Canton in general, covering both participant and domains. This section categorizes and expands on these high-level requirements and defines domain-specific requirements, both functional and non-functional ones.

Functional Requirements

The domain contributes to the high-level functional requirements in terms of facilitating the synchronization of changes. As the domain can only see encrypted transactions, refer to transaction privacy in the non-functional requirements, the functional requirements are satisfied on a lower level than the DAML transaction level.

  • Synchronization: The domain must facilitate the synchronization of the shared ledger among participants by establishing a total-order of transactions.
  • Transparency: The domain must inform the designated participants timely on changes to the shared ledger.
  • Finality: The domain must facilitate the synchronization of the shared ledger in an append-only fashion.
  • No unnecessary rejections: The domain should minimize unnecessary rejections of valid transactions.
  • Seek support for notifications: The domain must facilitate offset-based access to the notifications of the shared ledger.

Non-Functional Requirements


The performance targets cover the entire Canton system and are not broken down to individual component performance targets.

  • Canton Alpha-level Performance: 5 transactions/second (tps) with up to 3 second latency.
  • Canton Beta-level Performance: 20 tps with up to 1s latency.

Throughput is measured with a simple DAML workflow where one participant node creates a contract and another participant node must observe the contract. Performance is measured using the DAML Ledger API test tool.


  • Seamless fail-over for domain entities: All domain entities must be able to tolerate crash faults up to a certain failure rate, e.g., 1 sequencer node out of 3 can fail without interruption.
  • Resilience to faulty domain behavior: The domain must be able to detect and recover from failures of the domain entities, such as performing a fail-over on crash failures or retrying operations on transient failures if possible. The domain should tolerate byzantine failures of the domain entities.
  • Backups: The state of the domain entities have to be backed up such that in case of disaster recovery only minimal amount of data is lost.
  • Site-wide disaster recovery: In case of a failure of a data-center hosting a domain, the system must be able to fail-over to another data-center and recover operations.
  • Resilience to erroneous behavior: The domain must be resilient to erroneous behavior from the participants interacting with the domain.


  • Horizontal scalability: The parallelizable domain entities and their sub-components must be able to horizontally scale.
  • Large transaction support: The domain entities must be able to cope with large transactions and their resulting large payloads.


  • Domain entity compromise recovery: In case of a compromise of a domain entity, the domain must provide procedures to mitigate the impact of the compromise and allow to restore operations.
  • Standards compliant cryptography: All used cryptographic primitives and their configurations must be compliant to approved standards and based on existing and audited implementations.
  • Authentication and authorization: The participants interacting with the domain as well as the domain entities internal to the domain must authenticate themselves and have their appropriate permissions enforced.
  • Secure channel (TLS): All communication channels between the participants and the domain as well as between the domain entities themselves have to support a secure channel option using TLS, optionally with client certificate-based mutual authentication.
  • Distributed Trust: The domain should be able to be operated by a consortium in order to distribute the trust by the participants in the domain among many organizations.
  • Transaction Metadata Privacy: The domain entities must never learn the content of the transactions. The domain entities should learn a limited amount of transaction metadata, such as structural properties of a transaction and involved stakeholders.


  • Garbage collection: The domain entities must provide ways to minimize the amount of data kept on hot storage, in particular data that is only required for auditability can move to cold storage or data that has been processed and stored by the participants could be removed after a specific retention period.
  • Upgradeability: The domain as a whole or individual domain entities must be able to upgrade with minimal downtime.
  • Semantic versioning: The interfaces, protocols, and persistent data schemas of the domain entities must be versioned according to semantic versioning guidelines.
  • Domain approved protocol versions: The domain must offer and verify the supported versions towards the participants. The domain must further ensure that the domain entities operate on compatible versions.
  • Reuse off-the-shelf solutions: The domain entities should use off-the-shelf solutions for persistence, API specification, logging, and metrics.
  • Metrics on communication and processing: The domain entities must expose metrics on communication and processing to facilitate operations and trouble shooting.
  • Component health monitoring: The domain entities must expose a health endpoint for monitoring.

Domain-Internal Components

The following diagram shows the architecture and components of a Canton domain as well as how a participant node interacts with the domain.


The domain consists of the following components:

  • Domain Service: The first point of contact for a participant node when connecting to a domain. The participant performs a version handshake with the domain service and discovers the available other services, such as the sequencer. If the domain requires a service agreement to be accepted by connecting participants, the domain service will provide the agreement.
  • Domain Identity Service: The domain identity services is responsible for all identity management operations on a domain. The service provides the essential identity state to a new participant node, i.e., the set of keys for the domain entities to bootstrap the participant node. Furthermore, participant nodes can upload their own identity transactions to the domain identity service, which inspects and possibly approves and publishes those identity transactions on the domain via the sequencer.
  • Sequencer Authentication Service: A node can authenticate itself to the sequencer service either using a client certificate or using an authentication token. The sequencer authentication service issues such authentication tokens after performing a challenge-response protocol with the node. The node has to sign the challenge with their private key corresponding to a public key that has been approved and published by the domain identity service.
  • Sequencer Service: The sequencer services establishes the total-order of messages, including transactions, within a domain. The service implements a total-order multicast, i.e., the sender of a message indicates the set of recipients to which the message is delivered. The order is established based on a unique timestamp assigned by the sequencer to each message.
  • Sequencer Manager: The sequencer manager is responsible for initializing the sequencer service and serves as a trigger for sending heartbeats via the sequencer.
  • Mediator: The mediator participates in the Canton transaction protocol and acts as the transaction commit coordinator to register new transaction requests and finalizes those requests by collecting transaction confirmations. The mediator provides privacy among the set of transaction stakeholders as the stakeholders do not communicate directly but always via the mediator.

The domain operator is responsible to operate the domain infrastructure and (optionally) also verifies and approves identity transactions, in particular to admit new participant nodes to a domain. The operator can either be a single entity managing the entire domain or a consortium of operators, refer to the distributed trust security requirement.

Domain Integrations

Based on the set of domain internal components, a domain integration implements one or more components based on a particular technology. The prime component is the sequencer service and its ordering functionality, with implementations ranging from a relational database to a distributed blockchain. Components can be shared among integrations, for example, a mediator implemented on a relational database can be used together with a blockchain-based sequencer.