The Ledger Api provides authorization support using JWT
tokens. While the JWT token authorization allows to authorize third party applications properly, it poses some issues
for Canton internal services such as the PingService or the DarService, which are DAML based services used by
Canton to manage domain wide concerns. Therefore, Canton generates on each startup a new admin bearer token (64 bytes,
randomly generated, hex-encoded) which is communicated to these services internally and used by these services to
authorize themselves on the Ledger Api. The admin token allows to act as any party registered on that participant node.
The admin token is only used within the same process. Therefore, in order to obtain this token, an attacker needs to be
able to either dump the memory or capture the network traffic, which typically only a privileged user can do.
It is important to enable TLS together with JWT support in general, as otherwise, tokens can be leaked to an attacker
that has the ability to inspect network traffic.