Glossary of concepts

Key Concepts


Daml is a platform for building and running sophisticated, multi-party applications. At its core, it contains a smart contract language and tooling that defines the schema, semantics, and execution of transactions between parties. Daml includes Canton, a privacy-enabled distributed ledger that is enhanced when deployed with complementary blockchains.

Daml Language

The Daml language is a purpose-built language for rapid development of composable multi-party applications. It is a modern, ergonomically designed functional language that carefully avoids many of the pitfalls that hinder multi-party application development in other languages.

Daml Ledger

A Daml ledger is a distributed ledger system running Daml smart contracts according to the Daml ledger model and exposes the Daml Ledger APIs. All current implementations of Daml ledgers consist of a Daml driver that utilizes an underlying Synchronization Technology to either implement the Daml ledger directly, or to run the Canton protocol.

Canton Ledger

A Canton ledger is a privacy-enabled Daml ledger implemented using the Canton application, nodes, and protocol.

Canton Protocol

The Canton protocol is the technology which synchronizes participant nodes across any Daml-enabled blockchain or database. The Canton protocol not only makes Daml applications portable between different underlying synchronization technologies, but also allows applications to transact with each other across them.

Synchronization Technology

The synchronization technology is the database or blockchain that Daml uses for synchronization, messaging, and topology. Daml runs on a range of synchronization technologies, from centralized databases to fully distributed deployments, and users can employ the technology that best suits their technical and operational needs.

Daml Drivers

Daml drivers enable a ledger to be implemented on top of different synchronization technologies; a database or distributed ledger technology.

Daml Language Concepts


Contracts are items on a ledger. They are created from blueprints called templates, and include:

Contracts are immutable: once they are created on the ledger, the information in the contract cannot be changed. The only thing that can happen to them is that they can be archived.

Active Contract, Archived Contract

When a contract is created on a ledger, it becomes active. But that doesn’t mean it will remain active forever: it can be archived. This can happen:

Once the contract is archived, it is no longer valid, and choices on the contract can no longer be exercised.


A template is a blueprint for creating a contract. This is the Daml code you write.

For full documentation on what can be in a template, see Reference: Templates.


A choice is something that a party can exercise on a contract. You write code in the choice body that specifies what happens when the choice is exercised: for example, it could create a new contract.

Choices give one a way to transform the data in a contract: while the contract itself is immutable, you can write a choice that archives the contract and creates a new version of it with updated data.

A choice can only be exercised by its controller. Within the choice body, you have the authorization of all of the contract’s signatories.

For full documentation on choices, see Reference: Choices.

Consuming Choice

A consuming choice means that, when the choice is exercised, the contract it is on will be archived. The alternative is a nonconsuming choice.

Consuming choices can be preconsuming or postconsuming.

Preconsuming Choice

A choice marked preconsuming will be archived at the start of that exercise.

Postconsuming Choice

A choice marked postconsuming will not be archived until the end of the exercise choice body.

Nonconsuming Choice

A nonconsuming choice does NOT archive the contract it is on when exercised. This means the choice can be exercised more than once on the same contract.

Disjunction Choice, Flexible Controllers

A disjunction choice has more than one controller.

If a contract uses flexible controllers, this means you don’t specify the controller of the choice at creation time of the contract, but at exercise time.


A party represents a person or legal entity. Parties can create contracts and exercise choices.

Signatories, observers, controllers, and maintainers all must be parties, represented by the Party data type in Daml and determine who may see
contract data.

Parties are hosted on participant nodes and a participant node can host more than one party. A party can be hosted on several participant nodes simultaneously.


A signatory is a party on a contract. The signatories MUST consent to the creation of the contract by authorizing it: if they don’t, contract creation will fail. Once the contract is created, signatories can see the contracts and all exercises of that contract.

For documentation on signatories, see Reference: Templates.


An observer is a party on a contract. Being an observer allows them to see that instance and all the information about it. They do NOT have to consent to the creation.

For documentation on observers, see Reference: Templates.


A controller is a party that is able to exercise a particular choice on a particular contract.

Controllers must be at least an observer, otherwise they can’t see the contract to exercise it on. But they don’t have to be a signatory. this enables the propose-accept pattern.

Choice Observer

A choice observer is a party on a choice. Choice observers are guaranteed to see the choice being exercised and all its consequences with it.


Stakeholder is not a term used within the Daml language, but the concept refers to the signatories and observers collectively. That is, it means all of the parties that are interested in a contract.


The maintainer is a party that is part of a contract key. They must always be a signatory on the contract that they maintain the key for.

It’s not possible for keys to be globally unique, because there is no party that will necessarily know about every contract. However, by including a party as part of the key, this ensures that the maintainer will know about all of the contracts, and so can guarantee the uniqueness of the keys that they know about.

For documentation on contract keys, see Reference: Contract Keys.

Authorization, Signing

The Daml runtime checks that every submitted transaction is well-authorized, according to the authorization rules of the ledger model, which guarantee the integrity of the underlying ledger.

A Daml update is the composition of update actions created with one of the items in the table below. A Daml update is well-authorized when all its contained update actions are well-authorized. Each operation has an associated set of parties that need to authorize it:

Updates and required authorization
Update action Type Authorization
create (Template c) => c -> Update (ContractId c) All signatories of the created contract
exercise ContractId c -> e -> Update r All controllers of the choice
fetch ContractId c -> e -> Update r One of the union of signatories and observers of the fetched contract
fetchByKey k -> Update (ContractId c, c) Same as fetch
lookupByKey k -> Update (Optional (ContractId c)) All key maintainers

At runtime, the Daml execution engine computes the required authorizing parties from this mapping. It also computes which parties have given authorization to the update in question. A party gives authorization to an update in one of two ways:

  • It is the signatory of the contract that contains the update action.
  • It is an element of the controllers executing the choice containing the update action.

Only if all required parties have given their authorization to an update action, the update action is well-authorized and therefore executed. A missing authorization leads to the abortion of the update action and the failure of the containing transaction.

It is noteworthy, that authorizing parties are always determined only from the local context of a choice in question, that is, its controllers and the contract’s signatories. Authorization is never inherited from earlier execution contexts.

Standard Library

The Daml standard library is a set of Daml functions, classes and more that make developing with Daml easier.

For documentation, see The standard library.


An agreement is part of a contract. It is the text that explains what the contract represents.

It can be used to clarify the legal intent of a contract, but this text isn’t evaluated programmatically.

See Reference: Templates.


A create is an update that creates a contract on the ledger.

Contract creation requires authorization from all its signatories, or the create will fail. For how to get authorization, see the propose-accept and multi-party agreement patterns.

A party submits a create command.

See Reference: Updates.


An exercise is an action that exercises a choice on a contract on the ledger. If the choice is consuming, the exercise will archive the contract; if it is nonconsuming, the contract will stay active.

Exercising a choice requires authorization from all of the controllers of the choice.

A party submits an exercise command.

See Reference: Updates.

Daml Script

Daml Script provides a way of testing Daml code during development. You can run Daml Script inside Daml Studio, or write them to be executed on Sandbox when it starts up.

They’re useful for:

  • expressing clearly the intended workflow of your contracts
  • ensuring that parties can exclusively create contracts, observe contracts, and exercise choices that they are meant to
  • acting as regression tests to confirm that everything keeps working correctly

In Daml Studio, Daml Script runs in an emulated ledger. You specify a linear sequence of actions that various parties take, and these are evaluated in order, according to the same consistency, authorization, and privacy rules as they would be on a Daml ledger. Daml Studio shows you the resulting transaction graph, and (if a Daml Script fails) what caused it to fail.

See Test Templates Using Daml Script.

Contract Key

A contract key allows you to uniquely identify a contract of a particular template, similar to a primary key in a database table.

A contract key requires a maintainer: a simple key would be something like a tuple of text and maintainer, like (accountId, bank).

See Reference: Contract Keys.

DAR File, DALF File

A Daml Archive file, known as a .dar file is the result of compiling Daml code using the Assistant which can be interpreted using a Daml interpreter.

You upload .dar files to a ledger in order to be able to create contracts from the templates in that file.

A .dar contains multiple .dalf files. A .dalf file is the output of a compiled Daml package or library. Its underlying format is Daml-LF.

Developer Tools


Daml Assistant is a command-line tool for many tasks related to Daml. Using it, you can create Daml projects, compile Daml projects into .dar files, launch other developer tools, and download new SDK versions.

See Daml Assistant (daml).


Daml Studio is a plugin for Visual Studio Code, and is the IDE for writing Daml code.

See Daml Studio.


Sandbox is a lightweight ledger implementation. In its normal mode, you can use it for testing.

You can also run the Sandbox connected to a PostgreSQL back end, which gives you persistence and a more production-like experience.

See Daml Sandbox.

Building Applications

Application, Ledger Client, Integration

Application, ledger client, and integration are all terms for an application that sits on top of the ledger. These usually read from the ledger, send commands to the ledger, or both.

There’s a lot of information available about application development, starting with the Daml Application Architecture page.

Ledger API

The Ledger API is an API that’s exposed by any ledger on a participant node. Users access and manipulate the ledger state through the Ledger API. An alternative name for the Ledger API is the gRPC Ledger API if disambiguation from other technologies is needed. See The Ledger API page. It includes the following services.

Command Submission Service

Use the command submission service to submit commands - either create commands or exercise commands - to the ledger. See Command Submission Service.

Command Completion Service

Use the command completion service to find out whether or not commands you have submitted have completed, and what their status was. See Command Completion Service.

Command Service

Use the command service when you want to submit a command and wait for it to be executed. See Command Service.

Transaction Service

Use the transaction service to listen to changes in the ledger, reported as a stream of transactions. See Transaction Service.

Active Contract Service

Use the active contract service to obtain a party-specific view of all contracts currently active on the ledger. See Active Contracts Service.

Package Service

Use the package service to obtain information about Daml packages available on the ledger. See Package Service.

Ledger Identity Service

Use the ledger identity service to get the identity string of the ledger that your application is connected to. See Ledger Identity Service (DEPRECATED).

Ledger Configuration Service

Use the ledger configuration service to subscribe to changes in ledger configuration. See Ledger Configuration Service.

Ledger API Libraries

The following libraries wrap the ledger API for more native experience applications development.

Java Bindings

An idiomatic Java library for writing ledger applications. See Java Bindings.

Python Bindings

A Python library (formerly known as DAZL) for writing ledger applications. See Python Bindings.

Reading From the Ledger

Applications get information about the ledger by reading from it. You can’t query the ledger, but you can subscribe to the transaction stream to get the events, or the more sophisticated active contract service.

Submitting Commands, Writing To the Ledger

Applications make changes to the ledger by submitting commands. You can’t change it directly: an application submits a command of transactions. The command gets evaluated by the runtime, and will only be accepted if it’s valid.

For example, a command might get rejected because the transactions aren’t well-authorized; because the contract isn’t active (perhaps someone else archived it); or for other reasons.

This is echoed in Daml script, where you can mock an application by having parties submit transactions/updates to the ledger. You can use submit or submitMustFail to express what should succeed and what shouldn’t.


A command is an instruction to add a transaction to the ledger.

Participant Node

The participant node is a server that provides users with consistent programmatic access to a ledger through the Ledger API. The participant nodes handle transaction signing and validation, such that users don’t have to deal with cryptographic primitives but can trust the participant node that the data they are observing has been properly verified to be correct.

Sub-transaction Privacy

Sub-transaction privacy is where participants in a transaction only learn about the subset of the transaction they are directly involved in, but not about any other part of the transaction. This applies to both the content of the transaction as well as other involved participants.


When you compile Daml source code into a .dar file, the underlying format is Daml-LF. Daml-LF is similar to Daml, but is stripped down to a core set of features. The relationship between the surface Daml syntax and Daml-LF is loosely similar to that between Java and JVM bytecode.

As a user, you don’t need to interact with Daml-LF directly. But internally, it’s used for:

  • executing Daml code on the Sandbox or on another platform
  • sending and receiving values via the Ledger API (using a protocol such as gRPC)
  • generating code in other languages for interacting with Daml models (often called “codegen”)


Composability is the ability of a participant to extend an existing system with new Daml applications or new topologies unilaterally without requiring cooperation from anyone except the directly involved participants who wish to be part of the new application functionality.

Trust Domain

A trust domain encompasses a part of the system (in particular, a Daml ledger) operated by a single real-world entity. This subsystem may consist of one or more physical nodes. A single physical machine is always assumed to be controlled by exactly one real-world entity.

Canton Concepts


The domain provides total ordered, guaranteed delivery multi-cast to the participants. This means that participant nodes communicate with each other by sending end-to-end encrypted messages through the domain.

The sequencer service of the domain orders these messages without knowing about the content and ensures that every participant receives the messages in the same order.

The other services of the domain are the mediator and the domain identity manager.

Private Contract Store

Every participant node manages its own private contract store (PCS) which contains only contracts the participant is privy to. There is no global state or global contract store.

Virtual Global Ledger

While every participant has their own private contract store (PCS), the Canton protocol guarantees that the contracts which are stored in the PCS are well-authorized and that any change to the store is justified, authorized, and valid. The result is that every participant only possesses a small part of the virtual global ledger. All the local stores together make up that virtual global ledger and they are thus synchronized. The Canton protocol guarantees that the virtual ledger provides integrity, privacy, transparency, and auditability. The ledger is logically global, even though physically, it runs on segregated and isolated domains that are not aware of each other.


The mediator is a service provided by the domain and used by the Canton protocol. The mediator acts as commit coordinator, collecting individual transaction verdicts issued by validating participants and aggregating them into a single result. The mediator does not learn about the content of the transaction, they only learn about the involved participants.


The sequencer is a service provided by the domain, used by the Canton protocol. The sequencer forwards encrypted addressed messages from participants and ensures that every member receives the messages in the same order. Think about registered and sealed mail delivered according to the postal datestamp.

Domain Identity Manager

The Domain Identity Manager is a service provided by the domain, used by the Canton protocol. Participants join a new domain by registering with the domain identity manager. The domain identity manager establishes a consistent identity state among all participants. The domain identity manager only forwards identity updates. It can not invent them.


The Canton protocol does not use PBFT or any similar consensus algorithm. There is no proof of work or proof of stake involved. Instead, Canton uses a variant of a stakeholder-based two-phase commit protocol. As such, only stakeholders of a transaction are involved in it and need to process it, providing efficiency, privacy, and horizontal scalability. Canton-based ledgers are resilient to malicious participants as long as there is at least a single honest participant. A domain integration itself might be using the consensus mechanism of the underlying platform, but participant nodes will not be involved in that process.