> ## Documentation Index
> Fetch the complete documentation index at: https://docs.canton.network/llms.txt
> Use this file to discover all available pages before exploring further.

# Admin API

> Reference documentation for the Canton Admin API, covering node administration, key management, topology, and party management.

The Canton Admin API is a gRPC API exposed by every Canton node (participant, sequencer, mediator). It provides administrative operations that go beyond the [Ledger API](/sdks-tools/api-reference/ledger-api) — managing keys, topology state, synchronizer connections, packages, users, pruning, and node health. Unlike the Ledger API, which handles command submission and transaction reads, the Admin API controls the node itself.

<Warning>
  Do not expose the Admin API publicly without proper security controls. It serves administrative purposes only and grants full control over the node. Use TLS and restrict network access to trusted operators.
</Warning>

## Admin API Services

The Admin API is split across two layers: the **Ledger API admin services** (defined in the `com.daml.ledger.api.v2.admin` package) and the **Canton-specific admin services** (accessed through the Canton console or direct gRPC calls).

### Ledger API Admin Services

These services run on participant nodes alongside the Ledger API. They are defined in the [gRPC Ledger API proto specifications](/reference/grpc-ledger-api-reference).

### Canton-Specific Admin Services

Canton extends the standard Ledger API admin services with operations specific to Canton's architecture. Access these through the [Canton Console](/global-synchronizer/reference/canton-console-reference) or directly via gRPC.

* **Key management** — generate, import, export, and rotate signing and encryption keys. List keys by purpose (signing, encryption) and view key metadata.
* **Topology management** — inspect and modify the topology state: party-to-participant mappings, namespace delegations, synchronizer trust certificates, and package vetting. Topology transactions are the mechanism through which Canton nodes discover each other's capabilities.
* **Synchronizer connectivity** — connect participants to synchronizers, disconnect, reconnect, and list active connections. Manage synchronizer connection configurations and aliases.
* **Node health and status** — query the node's running status, health, and identity. Check whether the node has been initialized and retrieve its unique identifier.

## Configuration

For synchronizer nodes, the Admin API is configured at the same level as other node settings:

### Keep-Alive Settings

See the [gRPC keep-alive documentation](https://grpc.io/docs/guides/keepalive/) for details on how these parameters affect connection behavior.

## TLS

For production deployments, use mutual TLS (mTLS) to authenticate both the server and the client.

## Common Operations for App Developers

While the Admin API is primarily an operator tool, app developers interact with it during development and testing for tasks that the Ledger API does not cover.

**Party allocation** — before your application can submit commands as a party, that party must exist on the participant. In production, operators generally handle this. During development with the Sandbox, you allocate parties yourself:

```bash theme={"theme":{"light":"github-light","dark":"github-dark"}}
dpm sandbox -- canton.participants(0).parties.enable("Alice")
```

Or via gRPC using the `PartyManagementService.AllocateParty` RPC.

**DAR uploads** — your compiled Daml packages must be uploaded to the participant before contracts can be created. Note that `dpm` does not currently have a `deploy` command for uploading DARs to remote validators. For DAR uploads, use the Admin API directly (via `PackageManagementService.UploadDarFile` gRPC call, `curl`, or the [Canton Console](/global-synchronizer/reference/canton-console-reference)).

**User management** — the Ledger API authorizes requests based on user rights (actAs, readAs, executeAs, readAsAnyParty, executeAsAnyParty). Create and configure users through `UserManagementService` to control which parties your application can operate as.

## Related Pages

<CardGroup cols={2}>
  <Card title="Ledger API" href="/sdks-tools/api-reference/ledger-api">
    gRPC API for submitting commands and reading transactions
  </Card>

  <Card title="JSON API" href="/sdks-tools/api-reference/json-api">
    HTTP/REST wrapper for the Ledger API
  </Card>

  <Card title="Splice APIs" href="/sdks-tools/api-reference/splice-apis">
    Scan, Validator, and SV REST APIs
  </Card>

  <Card title="Canton Console Reference" href="/global-synchronizer/reference/canton-console-reference">
    Console commands for interacting with the Admin API
  </Card>
</CardGroup>