Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cantonfoundation-issue-365-details-history.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Joining the Canton Network as a validator requires onboarding through a Super Validator (SV) sponsor. The process differs by network environment, but the core steps remain the same: register your IP, receive an onboarding secret, and deploy your node.

Network environments

This section was copied from existing reviewed documentation. Source: docs/src/validator_operator/validator_onboarding.rst Reviewers: Skip this section. Remove markers after final approval.

Networks

There are three different networks: DevNet, TestNet and MainNet. If you are only interested in setting up a validator node, you can set up a node on DevNet for practice, then jump to MainNet. If you’d like to build, test, or deploy an app, we recommend that you run a node on DevNet, TestNet, and MainNet. DevNet DevNet is open to any node but still requires the validator’s egress IP to be added to the allowlist maintained by the SV node operators. It gets reset every 3 months. DevNet always gets upgraded to new versions before TestNet and MainNet, so it is a good way to test upgrades of your node and their impact on your apps before they reach MainNet. TestNet Joining TestNet requires that you have been approved to join MainNet by the Tokenomics Committee of the Global Synchronizer Foundation. You can initiate a request to do so through sync.global/validator-request. Just like for DevNet, is also still requires your validator’s egress IP to be added to the allowlist and it requires an onboarding secret from your SV sponsor. Just like DevNet, TestNet gets reset every 3-6 months, but the reset schedule is shifted so TestNet never gets reset at the same time as DevNet. TestNet upgrades to new versions after DevNet, but before MainNet so it provides an additional layer of testing. Application providers are encouraged to maintain long-running instances of their app on TestNet, which allows using TestNet to test composed applications. MainNet MainNet requires everything TestNet requires, so approval by the Tokenomics committee, an IP on the allowlist, and an onboarding secret from your SV sponsor. MainNet never gets reset and is therefore the only network where data is always preserved. MainNet gets upgraded to new versions after DevNet and TestNet. Canton Network operates three shared environments, each with different onboarding requirements:
  • DevNet — Open to any operator. Resets every 3 months. Receives upgrades first, making it the right place to test new versions. Onboarding secrets are self-service via API and valid for 1 hour.
  • TestNet — Requires approval to join by the Tokenomics Committee. Resets every 3-6 months on a staggered schedule from DevNet. Provides an intermediate testing environment before production.
  • MainNet — The production network. Data is permanent (no resets). Requires full approval from the Tokenomics Committee and an SV sponsor.

Finding a Super Validator sponsor

Every validator needs an SV sponsor to join the network. The sponsor provides your onboarding secret and submits your egress IP for allowlisting. To find a sponsor, consult the list of Super Validators at canton.foundation or reach out on the #validator-operations Slack channel (accessible via the Global Synchronizer Foundation Slack Connect). On DevNet, you can generate your own onboarding secret through the self-service API without contacting a sponsor directly. TestNet and MainNet require your sponsor to manually provision the secret.

Step-by-step onboarding

This section was copied from existing reviewed documentation. Source: docs/src/validator_operator/validator_onboarding.rst Reviewers: Skip this section. Remove markers after final approval.

Onboarding Process Overview

Onboarding a Validator involves the following steps (for each network you want to join).
  1. Provide your sponsoring SV with the egress IP for your Validator node. Only one IP may be provided per network, and this IP must be distinct from the IP you use for any other of the three networks.
At this point this can also be accomplished by connecting your validator through a VPN run by an SV This can be useful when trying to run a validator from a local laptop. This option may be removed in the future.
  1. Wait for super validators to adopt the new IP allowlist. This usually takes between 2-7 days.
  2. If you want to access the Canton Coin Scan Web UI from your laptop, you also need to ensure that you can connect to a VPN operated by one of the SVs. This is required as laptops usually do not have static IP addresses and the Scan web UI is not (yet) fully public. If you can use your validator egress IP also for browsing the web UI this is not necessary.
  3. Request an onboarding secret from your SV sponsor. On DevNet, you can do this yourself through an API call (refer to Deployment Options for details). On TestNet and MainNet your SV sponsor needs to provide you with this manually. Note that onboarding secrets are only valid for 48 hours and are one-time use, and self-generated DevNet secrets are only valid for 1 hour. If it expired, you need to request a new one.
  4. Deploy your node either using docker compose or Kubernetes. Refer to the Deployment Options for information on how to choose between them and references to each of the two approaches. You will need to make sure that all IP traffic going from your validator to the SVs uses the egress IP you provided to your SV sponsor and you need to provide the onboarding secret.

1. Determine your static egress IP

All outbound traffic from your validator must originate from a single, static IP address. Each network environment (DevNet, TestNet, MainNet) requires its own dedicated IP. Verify your egress IP: 
curl -sSL http://checkip.amazonaws.com
If you run behind a NAT gateway or cloud NAT, confirm that all validator traffic routes through the registered IP.

2. Submit your IP for allowlisting

Provide your egress IP to your sponsoring SV. The SV distributes it to other Super Validators, who add it to their firewall allowlists. This process typically takes 2-7 days.
For accessing web UIs (like the Scan UI) from personal devices, you need VPN connectivity through an SV operator, since laptops typically do not have static IP addresses.

3. Validate IP approval

Before deploying, confirm your IP has been allowlisted. Query the sequencer health endpoint and Scan endpoints from your validator’s network to verify connectivity: 
# Check your egress IP
curl -sSL http://checkip.amazonaws.com

# Verify connectivity to the sequencer (URL depends on environment)
curl -s https://sequencer.sync.global/api/health
If the requests fail or time out, your IP has not yet been added to all SV allowlists.

4. Obtain your onboarding secret

DevNet (self-service): Generate a secret by calling the SV onboarding API endpoint directly. Self-generated DevNet secrets are valid for 1 hour and are single-use. TestNet and MainNet: Request the secret from your SV sponsor. They generate it through their SV node and provide it to you out-of-band.
Onboarding secrets are valid for 48 hours and are single-use. If your secret expires before you complete deployment, request a new one from your sponsor. DevNet self-service secrets have a shorter 1-hour expiry.

5. Deploy your validator node

With your IP allowlisted and onboarding secret in hand, deploy your validator using either Docker Compose or Kubernetes. Both paths require the following parameters:
  • Sponsor SV URL — The application URL of your sponsoring SV (provided by the sponsor)
  • Onboarding secret — The one-time secret from step 4
  • Migration ID — The current network migration identifier (published at sync.global/sv-network/)
  • Party hint — Your validator admin party identifier, formatted as organization-function-enumerator (for example, acmeCorp-validator-1)
See the Installation page for deployment instructions.

6. Verify connectivity

After your node starts, confirm it has successfully onboarded:
  • Check the validator logs for successful onboarding messages
  • Access the Wallet UI to verify your validator identity
  • Confirm the node appears in the Scan UI

TestNet and MainNet approval process

For TestNet and MainNet, the onboarding process includes governance approval:
  1. Contact an SV sponsor and discuss your use case
  2. SV sponsor submits a vote to the Tokenomics Committee on your behalf
  3. Committee reviews and approves your onboarding request
  4. SV sponsor provisions your onboarding secret after approval
  5. IP allowlisting proceeds across all Super Validators (2-7 days)
  6. Deploy within 48 hours of receiving your onboarding secret

Staying connected

To stay connected with other validator operators, there is a shared slack channel and a few mailing lists:

Slack

Join the #validator-operations channel hosted by the Global Synchronizer Foundation using Slack Connect: https://daholdings.slack.com/archives/C08AP9QR7K4. Your Slack workspace may allow you to browse to this channel, or you can ask your SV sponsor to send you an invitation.

Mailing Lists

You can sign up for various mailing lists provided by the Global Synchronizer Foundation. To do so, first create an account at https://groups.io/ and then log in at https://lists.sync.global/. We recommend the following lists:
  • main: for overall information about the Canton Network.
  • cip announce: for new Canton Improvement Proposals (CIPs).
  • tokenomics-announce: for announcements from the Tokenomics commitee. This also includes approval of new validators.
  • validator-announce: for other announcements intended for validator operators.

Support

Contact da-support@digitalasset.com for best-effort support, or support@digitalasset.com for SLA-based enterprise support.

Next steps

Prerequisites

Review system requirements before deploying.

Installation

Deploy your validator node.