From 84bd68d6211d6fdd3986d3553dc94230fc4a5fad Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Fri, 22 May 2026 10:57:14 +0200
Subject: [PATCH 1/6] feat: hide secret details from listNetwork

The absence of the clientSecret also implies that the self-signed login
can no longer be done on the frontend. Instead, the backend now must
mint a self-signed token.

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 api-specs/openrpc-user-api.json               | 107 +++++++++++++++++-
 .../src/components/login-form.ts              |  17 ++-
 .../src/components/network-card.ts            |  10 +-
 .../src/components/network-table.ts           |   4 +-
 .../src/components/networks.ts                |  11 +-
 core/wallet-user-rpc-client/src/index.ts      |  32 +++++-
 core/wallet-user-rpc-client/src/openrpc.json  | 107 +++++++++++++++++-
 .../wallet-gateway/apis/index.md              |   3 +-
 .../remote/src/user-api/controller.ts         |  77 ++++++++++++-
 .../remote/src/user-api/rpc-gen/index.ts      |   3 +
 .../remote/src/user-api/rpc-gen/typings.ts    |  27 ++++-
 .../remote/src/user-api/server.test.ts        |   9 +-
 .../remote/src/web/frontend/login/login.ts    |  29 +++--
 .../remote/src/web/frontend/networks/index.ts |   7 +-
 .../src/web/frontend/networks/review/index.ts |  22 ++--
 .../remote/src/web/frontend/settings/index.ts |   4 +-
 16 files changed, 403 insertions(+), 66 deletions(-)

diff --git a/api-specs/openrpc-user-api.json b/api-specs/openrpc-user-api.json
index 130c84f91..843ba3bc0 100644
--- a/api-specs/openrpc-user-api.json
+++ b/api-specs/openrpc-user-api.json
@@ -74,13 +74,50 @@
                             "title": "networks",
                             "type": "array",
                             "items": {
-                                "$ref": "#/components/schemas/Network"
+                                "$ref": "#/components/schemas/PublicNetwork"
                             }
                         }
                     },
                     "required": ["networks"]
                 }
-            }
+            },
+            "description": "Lists configured networks without sensitive authentication details."
+        },
+        {
+            "name": "getNetwork",
+            "params": [
+                {
+                    "name": "params",
+                    "schema": {
+                        "title": "GetNetworkParams",
+                        "type": "object",
+                        "additionalProperties": false,
+                        "properties": {
+                            "networkId": {
+                                "title": "networkId",
+                                "type": "string",
+                                "description": "Network ID"
+                            }
+                        },
+                        "required": ["networkId"]
+                    }
+                }
+            ],
+            "result": {
+                "name": "result",
+                "schema": {
+                    "title": "GetNetworkResult",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "network": {
+                            "$ref": "#/components/schemas/Network"
+                        }
+                    },
+                    "required": ["network"]
+                }
+            },
+            "description": "Returns full network configuration including auth details. Admin only."
         },
         {
             "name": "addIdp",
@@ -877,6 +914,72 @@
                 "format": "uuid",
                 "description": "The internal transaction identifier."
             },
+            "PublicNetwork": {
+                "title": "PublicNetwork",
+                "type": "object",
+                "additionalProperties": false,
+                "description": "Network metadata exposed by listNetworks without sensitive auth configuration",
+                "properties": {
+                    "id": {
+                        "title": "networkId",
+                        "type": "string",
+                        "description": "Network ID"
+                    },
+                    "name": {
+                        "title": "name",
+                        "type": "string",
+                        "description": "Name of network"
+                    },
+                    "description": {
+                        "title": "description",
+                        "type": "string",
+                        "description": "Description of network"
+                    },
+                    "synchronizerId": {
+                        "title": "synchronizerId",
+                        "type": "string",
+                        "description": "Synchronizer ID"
+                    },
+                    "identityProviderId": {
+                        "title": "identityProviderId",
+                        "type": "string",
+                        "description": "Identity Provider ID"
+                    },
+                    "ledgerApi": {
+                        "title": "ledgerApi",
+                        "type": "string",
+                        "description": "Ledger api url"
+                    },
+                    "authMethod": {
+                        "title": "authMethod",
+                        "type": "string",
+                        "description": "Authentication method configured for this network"
+                    },
+                    "clientId": {
+                        "title": "clientId",
+                        "type": "string",
+                        "description": "OAuth or self-signed client ID used for user login"
+                    },
+                    "scope": {
+                        "title": "scope",
+                        "type": "string",
+                        "description": "OAuth scope used for user login"
+                    },
+                    "audience": {
+                        "title": "audience",
+                        "type": "string",
+                        "description": "OAuth audience used for user login"
+                    }
+                },
+                "required": [
+                    "id",
+                    "name",
+                    "description",
+                    "identityProviderId",
+                    "ledgerApi",
+                    "authMethod"
+                ]
+            },
             "Network": {
                 "title": "Network",
                 "type": "object",
diff --git a/core/wallet-ui-components/src/components/login-form.ts b/core/wallet-ui-components/src/components/login-form.ts
index 0495a170d..d0278d5ab 100644
--- a/core/wallet-ui-components/src/components/login-form.ts
+++ b/core/wallet-ui-components/src/components/login-form.ts
@@ -5,14 +5,14 @@ import { css, html, PropertyValues } from 'lit'
 import { customElement, property, state } from 'lit/decorators.js'
 import './back-link.js'
 import { BaseElement } from '../internal/base-element.js'
-import { Network, Idp } from '@canton-network/core-wallet-user-rpc-client'
+import { PublicNetwork, Idp } from '@canton-network/core-wallet-user-rpc-client'
 import { chevronDownIcon } from '../icons'
 import cantonLogo from '../../images/logos/canton-logo.png'
 
 /** Emitted when the user clicks the Connect button */
 export class LoginConnectEvent extends Event {
     constructor(
-        public selectedNetwork: Network,
+        public selectedNetwork: PublicNetwork,
         public selectedIdp: Idp,
         public clientId: string
     ) {
@@ -34,7 +34,7 @@ export class LoginBackEvent extends Event {
 @customElement('wg-login-form')
 export class WgLoginForm extends BaseElement {
     /** Available networks to show in the dropdown */
-    @property({ type: Array }) networks: Network[] = []
+    @property({ type: Array }) networks: PublicNetwork[] = []
 
     /** Available identity providers */
     @property({ type: Array }) idps: Idp[] = []
@@ -42,7 +42,7 @@ export class WgLoginForm extends BaseElement {
     @property({ type: Boolean }) connecting = false
     @property({ type: String }) backHref = '/'
 
-    @state() accessor selectedNetwork: Network | null = null
+    @state() accessor selectedNetwork: PublicNetwork | null = null
     @state() accessor selectedIdp: Idp | null = null
     @state() accessor message: string | null = null
     @state() accessor messageType: 'error' | 'info' | null = null
@@ -141,7 +141,7 @@ export class WgLoginForm extends BaseElement {
 
         if (changedProperties.has('networks') && !this.selectedNetwork) {
             const index = this.networks.findIndex(
-                (network) => network.auth.method !== 'client_credentials'
+                (network) => network.authMethod !== 'client_credentials'
             )
 
             if (index >= 0) {
@@ -211,7 +211,7 @@ export class WgLoginForm extends BaseElement {
                 this.renderRoot.querySelector(
                     '#client-id'
                 ) as HTMLInputElement | null
-            )?.value || this.selectedNetwork.auth.clientId
+            )?.value || this.selectedNetwork.clientId
 
         this.dispatchEvent(
             new LoginConnectEvent(this.selectedNetwork, idp, clientId)
@@ -262,7 +262,7 @@ export class WgLoginForm extends BaseElement {
                                 (net, index) =>
                                     html`<option
                                         value=${index}
-                                        ?disabled=${net.auth.method ===
+                                        ?disabled=${net.authMethod ===
                                         'client_credentials'}
                                     >
                                         ${net.name}
@@ -283,8 +283,7 @@ export class WgLoginForm extends BaseElement {
                                   id="client-id"
                                   class="client-id-input form-control"
                                   type="text"
-                                  .value=${this.selectedNetwork?.auth
-                                      .clientId || ''}
+                                  .value=${this.selectedNetwork?.clientId || ''}
                                   ?disabled=${this.connecting}
                               />
                           `
diff --git a/core/wallet-ui-components/src/components/network-card.ts b/core/wallet-ui-components/src/components/network-card.ts
index 245b5e6b6..d45a22a44 100644
--- a/core/wallet-ui-components/src/components/network-card.ts
+++ b/core/wallet-ui-components/src/components/network-card.ts
@@ -4,19 +4,19 @@
 import { customElement, property } from 'lit/decorators.js'
 import { BaseElement } from '../internal/base-element'
 import { css, html } from 'lit'
-import { Network } from '@canton-network/core-wallet-store'
+import { PublicNetwork } from '@canton-network/core-wallet-user-rpc-client'
 import { cardStyles } from '../styles/card'
 
 /** Emitted when the user clicks a network card to review it */
 export class NetworkCardReviewEvent extends Event {
-    constructor(public network: Network) {
+    constructor(public network: PublicNetwork) {
         super('network-review', { bubbles: true, composed: true })
     }
 }
 
 /** Emitted when the user clicks the "Delete" button on a network card */
 export class NetworkCardDeleteEvent extends Event {
-    constructor(public network: Network) {
+    constructor(public network: PublicNetwork) {
         super('delete', { bubbles: true, composed: true })
     }
 }
@@ -30,7 +30,7 @@ export class NetworkCardUpdateEvent extends Event {
 
 @customElement('network-card')
 export class NetworkCard extends BaseElement {
-    @property({ type: Object }) network: Network | null = null
+    @property({ type: Object }) network: PublicNetwork | null = null
     @property({ type: Boolean }) activeSession = false
     @property({ type: String }) accessToken = ''
     @property({ type: Boolean }) readonly = false
@@ -184,7 +184,7 @@ export class NetworkCard extends BaseElement {
 
                     <div class="meta-row">
                         <p class="meta-title">Auth</p>
-                        <p class="meta-value">${this.network.auth.method}</p>
+                        <p class="meta-value">${this.network.authMethod}</p>
                     </div>
 
                     ${syncId
diff --git a/core/wallet-ui-components/src/components/network-table.ts b/core/wallet-ui-components/src/components/network-table.ts
index 7af86949d..e0ec3773a 100644
--- a/core/wallet-ui-components/src/components/network-table.ts
+++ b/core/wallet-ui-components/src/components/network-table.ts
@@ -1,7 +1,7 @@
 // Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-import { Network } from '@canton-network/core-wallet-store'
+import { PublicNetwork } from '@canton-network/core-wallet-user-rpc-client'
 import { html } from 'lit'
 import { customElement, property } from 'lit/decorators.js'
 
@@ -10,7 +10,7 @@ import { Session } from '@canton-network/core-wallet-user-rpc-client'
 
 @customElement('network-table')
 export class NetworkTable extends BaseElement {
-    @property({ type: Array }) networks: Network[] = []
+    @property({ type: Array }) networks: PublicNetwork[] = []
     @property({ type: Array }) activeSessions: Session[] = []
     @property({ type: Boolean }) readonly = false
 
diff --git a/core/wallet-ui-components/src/components/networks.ts b/core/wallet-ui-components/src/components/networks.ts
index 3cee435f2..aad858878 100644
--- a/core/wallet-ui-components/src/components/networks.ts
+++ b/core/wallet-ui-components/src/components/networks.ts
@@ -3,7 +3,10 @@
 
 import { html, css } from 'lit'
 import { customElement, property, state } from 'lit/decorators.js'
-import { Network, Session } from '@canton-network/core-wallet-user-rpc-client'
+import {
+    PublicNetwork,
+    Session,
+} from '@canton-network/core-wallet-user-rpc-client'
 
 import { BaseElement } from '../internal/base-element'
 import { modalStyles } from '../styles/modal'
@@ -25,13 +28,13 @@ export class WgNetworks extends BaseElement {
         `,
     ]
 
-    @property({ type: Array }) accessor networks: Network[] = []
+    @property({ type: Array }) accessor networks: PublicNetwork[] = []
     @property({ type: Array }) accessor activeSessions: Session[] = []
     @property({ type: Boolean }) accessor readonly = false
     @state() accessor isModalOpen = false
-    @state() accessor editingNetwork: Network | null = null
+    @state() accessor editingNetwork: PublicNetwork | null = null
     @state() accessor authType: string =
-        this.editingNetwork?.auth?.method ?? 'authorization_code'
+        this.editingNetwork?.authMethod ?? 'authorization_code'
 
     connectedCallback(): void {
         super.connectedCallback()
diff --git a/core/wallet-user-rpc-client/src/index.ts b/core/wallet-user-rpc-client/src/index.ts
index 26b0afa60..bdd19867e 100644
--- a/core/wallet-user-rpc-client/src/index.ts
+++ b/core/wallet-user-rpc-client/src/index.ts
@@ -80,6 +80,23 @@ export interface Network {
     adminAuth?: Auth
     ledgerApi: LedgerApi
 }
+/**
+ *
+ * Network metadata exposed by listNetworks without sensitive auth configuration
+ *
+ */
+export interface PublicNetwork {
+    id: NetworkId
+    name: Name
+    description: Description
+    synchronizerId?: SynchronizerId
+    identityProviderId: IdentityProviderId
+    ledgerApi: LedgerApi
+    authMethod: Method
+    clientId?: ClientId
+    scope?: Scope
+    audience?: Audience
+}
 /**
  *
  * Ledger api url
@@ -180,6 +197,7 @@ export type MessageId = string
 export type Signature = string
 export type SignedBy = string
 export type Networks = Network[]
+export type PublicNetworks = PublicNetwork[]
 export type Idps = Idp[]
 /**
  *
@@ -485,7 +503,13 @@ export interface DeleteTransactionParams {
  */
 export type Null = null
 export interface ListNetworksResult {
-    networks: Networks
+    networks: PublicNetworks
+}
+export interface GetNetworkParams {
+    networkId: NetworkId
+}
+export interface GetNetworkResult {
+    network: Network
 }
 export interface ListIdpsResult {
     idps: Idps
@@ -581,6 +605,7 @@ export interface GetUserResult {
 export type AddNetwork = (params: AddNetworkParams) => Promise<Null>
 export type RemoveNetwork = (params: RemoveNetworkParams) => Promise<Null>
 export type ListNetworks = () => Promise<ListNetworksResult>
+export type GetNetwork = (params: GetNetworkParams) => Promise<GetNetworkResult>
 export type AddIdp = (params: AddIdpParams) => Promise<Null>
 export type RemoveIdp = (params: RemoveIdpParams) => Promise<Null>
 export type ListIdps = () => Promise<ListIdpsResult>
@@ -647,6 +672,11 @@ export type RpcTypes = {
         result: Result<ListNetworks>
     }
 
+    getNetwork: {
+        params: Params<GetNetwork>
+        result: Result<GetNetwork>
+    }
+
     addIdp: {
         params: Params<AddIdp>
         result: Result<AddIdp>
diff --git a/core/wallet-user-rpc-client/src/openrpc.json b/core/wallet-user-rpc-client/src/openrpc.json
index 130c84f91..843ba3bc0 100644
--- a/core/wallet-user-rpc-client/src/openrpc.json
+++ b/core/wallet-user-rpc-client/src/openrpc.json
@@ -74,13 +74,50 @@
                             "title": "networks",
                             "type": "array",
                             "items": {
-                                "$ref": "#/components/schemas/Network"
+                                "$ref": "#/components/schemas/PublicNetwork"
                             }
                         }
                     },
                     "required": ["networks"]
                 }
-            }
+            },
+            "description": "Lists configured networks without sensitive authentication details."
+        },
+        {
+            "name": "getNetwork",
+            "params": [
+                {
+                    "name": "params",
+                    "schema": {
+                        "title": "GetNetworkParams",
+                        "type": "object",
+                        "additionalProperties": false,
+                        "properties": {
+                            "networkId": {
+                                "title": "networkId",
+                                "type": "string",
+                                "description": "Network ID"
+                            }
+                        },
+                        "required": ["networkId"]
+                    }
+                }
+            ],
+            "result": {
+                "name": "result",
+                "schema": {
+                    "title": "GetNetworkResult",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "network": {
+                            "$ref": "#/components/schemas/Network"
+                        }
+                    },
+                    "required": ["network"]
+                }
+            },
+            "description": "Returns full network configuration including auth details. Admin only."
         },
         {
             "name": "addIdp",
@@ -877,6 +914,72 @@
                 "format": "uuid",
                 "description": "The internal transaction identifier."
             },
+            "PublicNetwork": {
+                "title": "PublicNetwork",
+                "type": "object",
+                "additionalProperties": false,
+                "description": "Network metadata exposed by listNetworks without sensitive auth configuration",
+                "properties": {
+                    "id": {
+                        "title": "networkId",
+                        "type": "string",
+                        "description": "Network ID"
+                    },
+                    "name": {
+                        "title": "name",
+                        "type": "string",
+                        "description": "Name of network"
+                    },
+                    "description": {
+                        "title": "description",
+                        "type": "string",
+                        "description": "Description of network"
+                    },
+                    "synchronizerId": {
+                        "title": "synchronizerId",
+                        "type": "string",
+                        "description": "Synchronizer ID"
+                    },
+                    "identityProviderId": {
+                        "title": "identityProviderId",
+                        "type": "string",
+                        "description": "Identity Provider ID"
+                    },
+                    "ledgerApi": {
+                        "title": "ledgerApi",
+                        "type": "string",
+                        "description": "Ledger api url"
+                    },
+                    "authMethod": {
+                        "title": "authMethod",
+                        "type": "string",
+                        "description": "Authentication method configured for this network"
+                    },
+                    "clientId": {
+                        "title": "clientId",
+                        "type": "string",
+                        "description": "OAuth or self-signed client ID used for user login"
+                    },
+                    "scope": {
+                        "title": "scope",
+                        "type": "string",
+                        "description": "OAuth scope used for user login"
+                    },
+                    "audience": {
+                        "title": "audience",
+                        "type": "string",
+                        "description": "OAuth audience used for user login"
+                    }
+                },
+                "required": [
+                    "id",
+                    "name",
+                    "description",
+                    "identityProviderId",
+                    "ledgerApi",
+                    "authMethod"
+                ]
+            },
             "Network": {
                 "title": "Network",
                 "type": "object",
diff --git a/docs/dapp-building/wallet-gateway/apis/index.md b/docs/dapp-building/wallet-gateway/apis/index.md
index b80d294d9..1a3e342d9 100644
--- a/docs/dapp-building/wallet-gateway/apis/index.md
+++ b/docs/dapp-building/wallet-gateway/apis/index.md
@@ -36,7 +36,8 @@ The User API enables users to manage their wallets, configure networks, manage i
 | Sessions           | `addSession()`         | Create a new session (unauthenticated, used for initial connection) |
 |                    | `removeSession()`      | End the current session                                             |
 |                    | `listSessions()`       | List sessions for the current user                                  |
-| Networks           | `listNetworks()`       | List all configured networks                                        |
+| Networks           | `listNetworks()`       | List configured networks (public metadata only, no auth secrets)    |
+|                    | `getNetwork()`         | Get full network configuration including auth (admin only)          |
 |                    | `addNetwork()`         | Add a new network configuration                                     |
 |                    | `removeNetwork()`      | Remove a network configuration                                      |
 | Identity Providers | `listIdps()`           | List all identity providers                                         |
diff --git a/wallet-gateway/remote/src/user-api/controller.ts b/wallet-gateway/remote/src/user-api/controller.ts
index 7dd74e43d..147a42f32 100644
--- a/wallet-gateway/remote/src/user-api/controller.ts
+++ b/wallet-gateway/remote/src/user-api/controller.ts
@@ -32,6 +32,10 @@ import {
     Null,
     ListTransactionsResult,
     GetUserResult,
+    GetNetworkParams,
+    GetNetworkResult,
+    Network as ApiNetwork,
+    PublicNetwork,
 } from './rpc-gen/typings.js'
 import { Store, Network } from '@canton-network/core-wallet-store'
 import { Logger } from 'pino'
@@ -40,6 +44,7 @@ import {
     assertConnected,
     AuthContext,
     authSchema,
+    Auth,
     AuthTokenProvider,
     fetchOidcUserInfo,
     idpSchema,
@@ -174,12 +179,16 @@ export const userController = (
         listNetworks: async () => {
             const networks = await store.listNetworks()
             return {
-                networks: networks.map((n) => ({
-                    ...n,
-                    ledgerApi: n.ledgerApi.baseUrl,
-                })),
+                networks: networks.map(toPublicNetwork),
             }
         },
+        getNetwork: async (
+            params: GetNetworkParams
+        ): Promise<GetNetworkResult> => {
+            assertAdmin()
+            const network = await store.getNetwork(params.networkId)
+            return { network: toApiNetwork(network) }
+        },
         addIdp: async (params: AddIdpParams) => {
             assertAdmin()
             const validatedIdp = idpSchema.parse(params.idp)
@@ -1069,3 +1078,63 @@ export const userController = (
         },
     })
 }
+
+function toApiAuth(auth: Auth): ApiNetwork['auth'] {
+    const base = {
+        method: auth.method,
+        audience: auth.audience,
+        scope: auth.scope,
+        clientId: auth.clientId,
+    }
+
+    if (auth.method === 'self_signed') {
+        return {
+            ...base,
+            issuer: auth.issuer,
+            clientSecret: auth.clientSecret,
+        }
+    }
+
+    if (auth.method === 'client_credentials') {
+        return {
+            ...base,
+            clientSecret: auth.clientSecret,
+        }
+    }
+
+    return base
+}
+
+function toApiNetwork(network: Network): ApiNetwork {
+    return {
+        id: network.id,
+        name: network.name,
+        description: network.description,
+        synchronizerId: network.synchronizerId,
+        identityProviderId: network.identityProviderId,
+        ledgerApi: network.ledgerApi.baseUrl,
+        auth: toApiAuth(network.auth),
+        ...(network.adminAuth
+            ? { adminAuth: toApiAuth(network.adminAuth) }
+            : {}),
+    }
+}
+
+function toPublicNetwork(network: Network): PublicNetwork {
+    const auth = network.auth
+
+    return {
+        id: network.id,
+        name: network.name,
+        description: network.description,
+        synchronizerId: network.synchronizerId,
+        identityProviderId: network.identityProviderId,
+        ledgerApi: network.ledgerApi.baseUrl,
+        authMethod: auth.method,
+        ...(auth.method !== 'client_credentials' && {
+            clientId: auth.clientId,
+            scope: auth.scope,
+            audience: auth.audience,
+        }),
+    }
+}
diff --git a/wallet-gateway/remote/src/user-api/rpc-gen/index.ts b/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
index 4b0c3e318..ed9f3a82b 100644
--- a/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
+++ b/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
@@ -4,6 +4,7 @@
 import { AddNetwork } from './typings.js'
 import { RemoveNetwork } from './typings.js'
 import { ListNetworks } from './typings.js'
+import { GetNetwork } from './typings.js'
 import { AddIdp } from './typings.js'
 import { RemoveIdp } from './typings.js'
 import { ListIdps } from './typings.js'
@@ -32,6 +33,7 @@ export type Methods = {
     addNetwork: AddNetwork
     removeNetwork: RemoveNetwork
     listNetworks: ListNetworks
+    getNetwork: GetNetwork
     addIdp: AddIdp
     removeIdp: RemoveIdp
     listIdps: ListIdps
@@ -62,6 +64,7 @@ function buildController(methods: Methods) {
         addNetwork: methods.addNetwork,
         removeNetwork: methods.removeNetwork,
         listNetworks: methods.listNetworks,
+        getNetwork: methods.getNetwork,
         addIdp: methods.addIdp,
         removeIdp: methods.removeIdp,
         listIdps: methods.listIdps,
diff --git a/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts b/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
index d93b98e69..802879f09 100644
--- a/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
+++ b/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
@@ -79,6 +79,23 @@ export interface Network {
     adminAuth?: Auth
     ledgerApi: LedgerApi
 }
+/**
+ *
+ * Network metadata exposed by listNetworks without sensitive auth configuration
+ *
+ */
+export interface PublicNetwork {
+    id: NetworkId
+    name: Name
+    description: Description
+    synchronizerId?: SynchronizerId
+    identityProviderId: IdentityProviderId
+    ledgerApi: LedgerApi
+    authMethod: Method
+    clientId?: ClientId
+    scope?: Scope
+    audience?: Audience
+}
 /**
  *
  * Ledger api url
@@ -179,6 +196,7 @@ export type MessageId = string
 export type Signature = string
 export type SignedBy = string
 export type Networks = Network[]
+export type PublicNetworks = PublicNetwork[]
 export type Idps = Idp[]
 /**
  *
@@ -484,7 +502,13 @@ export interface DeleteTransactionParams {
  */
 export type Null = null
 export interface ListNetworksResult {
-    networks: Networks
+    networks: PublicNetworks
+}
+export interface GetNetworkParams {
+    networkId: NetworkId
+}
+export interface GetNetworkResult {
+    network: Network
 }
 export interface ListIdpsResult {
     idps: Idps
@@ -580,6 +604,7 @@ export interface GetUserResult {
 export type AddNetwork = (params: AddNetworkParams) => Promise<Null>
 export type RemoveNetwork = (params: RemoveNetworkParams) => Promise<Null>
 export type ListNetworks = () => Promise<ListNetworksResult>
+export type GetNetwork = (params: GetNetworkParams) => Promise<GetNetworkResult>
 export type AddIdp = (params: AddIdpParams) => Promise<Null>
 export type RemoveIdp = (params: RemoveIdpParams) => Promise<Null>
 export type ListIdps = () => Promise<ListIdpsResult>
diff --git a/wallet-gateway/remote/src/user-api/server.test.ts b/wallet-gateway/remote/src/user-api/server.test.ts
index ed023c478..cd466f02f 100644
--- a/wallet-gateway/remote/src/user-api/server.test.ts
+++ b/wallet-gateway/remote/src/user-api/server.test.ts
@@ -8,7 +8,6 @@ import express from 'express'
 import request from 'supertest'
 import { user } from './server.js'
 import { StoreInternal } from '@canton-network/core-wallet-store-inmemory'
-import { Network } from '@canton-network/core-wallet-store'
 import { ConfigUtils, deriveUrls } from '../config/ConfigUtils.js'
 import { NotificationService } from '../notification/NotificationService.js'
 import { pino } from 'pino'
@@ -48,7 +47,7 @@ test('call listNetworks rpc', async () => {
 
     expect(response.statusCode).toBe(200)
     expect(json.networks.length).toBe(6)
-    expect(json.networks.map((n: Network) => n.name)).toStrictEqual([
+    expect(json.networks.map((n: { name: string }) => n.name)).toStrictEqual([
         'Local (OAuth IDP)',
         'Local (OAuth IDP - 2)',
         'Local (OAuth IDP - Client Credentials)',
@@ -56,4 +55,10 @@ test('call listNetworks rpc', async () => {
         'Devnet (Auth0)',
         'LocalNet',
     ])
+
+    for (const network of json.networks) {
+        expect(network).not.toHaveProperty('auth')
+        expect(network).not.toHaveProperty('adminAuth')
+        expect(network).toHaveProperty('authMethod')
+    }
 })
diff --git a/wallet-gateway/remote/src/web/frontend/login/login.ts b/wallet-gateway/remote/src/web/frontend/login/login.ts
index 683cbc0e0..e5cb4c64f 100644
--- a/wallet-gateway/remote/src/web/frontend/login/login.ts
+++ b/wallet-gateway/remote/src/web/frontend/login/login.ts
@@ -12,14 +12,14 @@ import {
     WgLoginForm,
     toRelHref,
 } from '@canton-network/core-wallet-ui-components'
-import { createUserClient } from '../rpc-client'
-import { Network, Idp } from '@canton-network/core-wallet-user-rpc-client'
-import { stateManager } from '../state-manager'
-import '../index'
 import {
     AuthTokenProvider,
     ClientCredentials,
 } from '@canton-network/core-wallet-auth'
+import { createUserClient } from '../rpc-client'
+import { PublicNetwork, Idp } from '@canton-network/core-wallet-user-rpc-client'
+import { stateManager } from '../state-manager'
+import '../index'
 import { redirectToIntendedOrDefault, addUserSession } from '../index'
 
 const PKCE_CODE_VERIFIER_LENGTH = 64
@@ -55,7 +55,7 @@ const createPkcePair = async (): Promise<{
 @customElement('user-ui-login')
 export class LoginUI extends BaseElement {
     @state()
-    accessor networks: Network[] = []
+    accessor networks: PublicNetwork[] = []
 
     @state()
     accessor idps: Idp[] = []
@@ -113,30 +113,29 @@ export class LoginUI extends BaseElement {
             if (selectedIdp.type === 'self_signed') {
                 await this.selfSign({
                     clientId,
-                    clientSecret: selectedNetwork.auth.clientSecret || '',
-                    scope: selectedNetwork.auth.scope,
-                    audience: selectedNetwork.auth.audience,
+                    clientSecret: '',
+                    scope: selectedNetwork.scope ?? '',
+                    audience: selectedNetwork.audience ?? '',
                 } as ClientCredentials)
                 redirectToIntendedOrDefault()
                 return
             }
 
             if (selectedIdp.type === 'oauth') {
-                if (selectedNetwork.auth.method === 'authorization_code') {
+                if (selectedNetwork.authMethod === 'authorization_code') {
                     const redirectUri = new URL(
                         toRelHref('/callback'),
                         window.location.origin
                     ).toString()
 
-                    const auth = selectedNetwork.auth
                     const config = await fetch(
                         selectedIdp.configUrl || ''
                     ).then((res) => res.json())
 
                     const statePayload = {
                         configUrl: selectedIdp.configUrl,
-                        clientId: auth.clientId,
-                        audience: auth.audience,
+                        clientId: selectedNetwork.clientId,
+                        audience: selectedNetwork.audience,
                         stateId: crypto.randomUUID(),
                     }
 
@@ -148,11 +147,11 @@ export class LoginUI extends BaseElement {
 
                     const params = new URLSearchParams({
                         response_type: 'code',
-                        client_id: auth.clientId || '',
+                        client_id: selectedNetwork.clientId || '',
                         redirect_uri: redirectUri,
                         nonce: crypto.randomUUID(),
-                        scope: auth.scope || '',
-                        audience: auth.audience || '',
+                        scope: selectedNetwork.scope || '',
+                        audience: selectedNetwork.audience || '',
                         state: btoa(JSON.stringify(statePayload)),
                         code_challenge: challenge,
                         code_challenge_method: 'S256',
diff --git a/wallet-gateway/remote/src/web/frontend/networks/index.ts b/wallet-gateway/remote/src/web/frontend/networks/index.ts
index 94b144eb0..6142189d1 100644
--- a/wallet-gateway/remote/src/web/frontend/networks/index.ts
+++ b/wallet-gateway/remote/src/web/frontend/networks/index.ts
@@ -12,7 +12,10 @@ import {
     toRelPath,
 } from '@canton-network/core-wallet-ui-components'
 
-import { Network, Session } from '@canton-network/core-wallet-user-rpc-client'
+import {
+    PublicNetwork,
+    Session,
+} from '@canton-network/core-wallet-user-rpc-client'
 
 import { createUserClient } from '../rpc-client'
 import '../index'
@@ -20,7 +23,7 @@ import { stateManager } from '../state-manager'
 
 @customElement('user-ui-networks')
 export class UserUiNetworks extends BaseElement {
-    @state() accessor networks: Network[] = []
+    @state() accessor networks: PublicNetwork[] = []
     @state() accessor sessions: Session[] = []
     @state() accessor isAdmin = false
     @state() accessor currentPage = 1
diff --git a/wallet-gateway/remote/src/web/frontend/networks/review/index.ts b/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
index ac22a48d4..a080c8d78 100644
--- a/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
+++ b/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
@@ -12,11 +12,9 @@ import {
     toRelHref,
     toRelPath,
 } from '@canton-network/core-wallet-ui-components'
-import {
-    Network,
-    Auth as ApiAuth,
-} from '@canton-network/core-wallet-user-rpc-client'
+import { Auth as ApiAuth } from '@canton-network/core-wallet-user-rpc-client'
 import { Auth } from '@canton-network/core-wallet-auth'
+import { Network } from '@canton-network/core-wallet-store'
 import { createUserClient } from '../../rpc-client'
 import { stateManager } from '../../state-manager'
 import '../../index'
@@ -68,19 +66,15 @@ export class UserUiReviewNetwork extends BaseElement {
                 stateManager.accessToken.get()
             )
             const result = await userClient.request({
-                method: 'listNetworks',
+                method: 'getNetwork',
+                params: { networkId },
             })
 
-            const found = result.networks.find(
-                (n: Network) => n.id === networkId
-            )
-            if (!found) {
-                handleErrorToast(new Error(`Network "${networkId}" not found`))
-                this.navigateBack()
-                return
+            const apiNetwork = result.network
+            this.network = {
+                ...apiNetwork,
+                ledgerApi: { baseUrl: apiNetwork.ledgerApi },
             }
-
-            this.network = found
         } catch (error) {
             handleErrorToast(error)
             this.navigateBack()
diff --git a/wallet-gateway/remote/src/web/frontend/settings/index.ts b/wallet-gateway/remote/src/web/frontend/settings/index.ts
index 450b1c3c9..81a563205 100644
--- a/wallet-gateway/remote/src/web/frontend/settings/index.ts
+++ b/wallet-gateway/remote/src/web/frontend/settings/index.ts
@@ -15,7 +15,7 @@ import {
 import { html, css } from 'lit'
 import { customElement, state } from 'lit/decorators.js'
 import {
-    Network,
+    PublicNetwork,
     Session,
     Idp,
     Auth as ApiAuth,
@@ -41,7 +41,7 @@ export class UserUiSettings extends BaseElement {
         `,
     ]
 
-    @state() accessor networks: Network[] = []
+    @state() accessor networks: PublicNetwork[] = []
     @state() accessor sessions: Session[] = []
     @state() accessor idps: Idp[] = []
     @state() accessor client: UserApiClient | null = null

From 18151005f577e87d3e6204aa05bbbad967d2afe4 Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Fri, 22 May 2026 18:45:25 +0200
Subject: [PATCH 2/6] mint self signed access token on server

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 api-specs/openrpc-user-api.json               | 43 ++++++++++
 core/wallet-user-rpc-client/src/index.ts      | 78 ++++++++++++-------
 core/wallet-user-rpc-client/src/openrpc.json  | 43 ++++++++++
 .../wallet-gateway/apis/index.md              | 46 +++++------
 wallet-gateway/remote/src/init.ts             |  1 +
 .../remote/src/user-api/controller.ts         | 35 +++++++++
 .../remote/src/user-api/rpc-gen/index.ts      |  3 +
 .../remote/src/user-api/rpc-gen/typings.ts    | 73 ++++++++++-------
 .../remote/src/user-api/server.test.ts        | 42 ++++++++++
 .../remote/src/web/frontend/login/login.ts    | 30 +++----
 .../src/web/frontend/networks/review/index.ts | 13 ++--
 11 files changed, 300 insertions(+), 107 deletions(-)

diff --git a/api-specs/openrpc-user-api.json b/api-specs/openrpc-user-api.json
index 843ba3bc0..4ab3ba3cd 100644
--- a/api-specs/openrpc-user-api.json
+++ b/api-specs/openrpc-user-api.json
@@ -119,6 +119,49 @@
             },
             "description": "Returns full network configuration including auth details. Admin only."
         },
+        {
+            "name": "selfSignedAccessToken",
+            "params": [
+                {
+                    "name": "params",
+                    "schema": {
+                        "title": "SelfSignedAccessTokenParams",
+                        "type": "object",
+                        "additionalProperties": false,
+                        "properties": {
+                            "networkId": {
+                                "title": "networkId",
+                                "type": "string",
+                                "description": "Network ID"
+                            },
+                            "clientId": {
+                                "title": "clientId",
+                                "type": "string",
+                                "description": "Client ID used as the JWT subject"
+                            }
+                        },
+                        "required": ["networkId", "clientId"]
+                    }
+                }
+            ],
+            "result": {
+                "name": "result",
+                "schema": {
+                    "title": "SelfSignedAccessTokenResult",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "accessToken": {
+                            "title": "accessToken",
+                            "type": "string",
+                            "description": "Self-signed JWT access token"
+                        }
+                    },
+                    "required": ["accessToken"]
+                }
+            },
+            "description": "Mints a self-signed access token using server-side network credentials. Used for login on self-signed networks."
+        },
         {
             "name": "addIdp",
             "description": "Adds a new identity provider.",
diff --git a/core/wallet-user-rpc-client/src/index.ts b/core/wallet-user-rpc-client/src/index.ts
index bdd19867e..ab341a547 100644
--- a/core/wallet-user-rpc-client/src/index.ts
+++ b/core/wallet-user-rpc-client/src/index.ts
@@ -80,23 +80,6 @@ export interface Network {
     adminAuth?: Auth
     ledgerApi: LedgerApi
 }
-/**
- *
- * Network metadata exposed by listNetworks without sensitive auth configuration
- *
- */
-export interface PublicNetwork {
-    id: NetworkId
-    name: Name
-    description: Description
-    synchronizerId?: SynchronizerId
-    identityProviderId: IdentityProviderId
-    ledgerApi: LedgerApi
-    authMethod: Method
-    clientId?: ClientId
-    scope?: Scope
-    audience?: Audience
-}
 /**
  *
  * Ledger api url
@@ -196,8 +179,36 @@ export type MessageId = string
  */
 export type Signature = string
 export type SignedBy = string
-export type Networks = Network[]
-export type PublicNetworks = PublicNetwork[]
+/**
+ *
+ * Authentication method configured for this network
+ *
+ */
+export type AuthMethod = string
+/**
+ *
+ * Network metadata exposed by listNetworks without sensitive auth configuration
+ *
+ */
+export interface PublicNetwork {
+    id: NetworkId
+    name: Name
+    description: Description
+    synchronizerId?: SynchronizerId
+    identityProviderId: IdentityProviderId
+    ledgerApi: LedgerApi
+    authMethod: AuthMethod
+    clientId?: ClientId
+    scope?: Scope
+    audience?: Audience
+}
+export type Networks = PublicNetwork[]
+/**
+ *
+ * The access token for the session.
+ *
+ */
+export type AccessToken = string
 export type Idps = Idp[]
 /**
  *
@@ -367,12 +378,6 @@ export interface MessageRaw {
     signature?: Signature
 }
 export type Messages = MessageRaw[]
-/**
- *
- * The access token for the session.
- *
- */
-export type AccessToken = string
 export type UserLevelRight = any
 /**
  *
@@ -444,6 +449,13 @@ export interface AddNetworkParams {
 export interface RemoveNetworkParams {
     networkName: NetworkName
 }
+export interface GetNetworkParams {
+    networkId: NetworkId
+}
+export interface SelfSignedAccessTokenParams {
+    networkId: NetworkId
+    clientId: ClientId
+}
 export interface AddIdpParams {
     idp: Idp
 }
@@ -503,14 +515,14 @@ export interface DeleteTransactionParams {
  */
 export type Null = null
 export interface ListNetworksResult {
-    networks: PublicNetworks
-}
-export interface GetNetworkParams {
-    networkId: NetworkId
+    networks: Networks
 }
 export interface GetNetworkResult {
     network: Network
 }
+export interface SelfSignedAccessTokenResult {
+    accessToken: AccessToken
+}
 export interface ListIdpsResult {
     idps: Idps
 }
@@ -606,6 +618,9 @@ export type AddNetwork = (params: AddNetworkParams) => Promise<Null>
 export type RemoveNetwork = (params: RemoveNetworkParams) => Promise<Null>
 export type ListNetworks = () => Promise<ListNetworksResult>
 export type GetNetwork = (params: GetNetworkParams) => Promise<GetNetworkResult>
+export type SelfSignedAccessToken = (
+    params: SelfSignedAccessTokenParams
+) => Promise<SelfSignedAccessTokenResult>
 export type AddIdp = (params: AddIdpParams) => Promise<Null>
 export type RemoveIdp = (params: RemoveIdpParams) => Promise<Null>
 export type ListIdps = () => Promise<ListIdpsResult>
@@ -677,6 +692,11 @@ export type RpcTypes = {
         result: Result<GetNetwork>
     }
 
+    selfSignedAccessToken: {
+        params: Params<SelfSignedAccessToken>
+        result: Result<SelfSignedAccessToken>
+    }
+
     addIdp: {
         params: Params<AddIdp>
         result: Result<AddIdp>
diff --git a/core/wallet-user-rpc-client/src/openrpc.json b/core/wallet-user-rpc-client/src/openrpc.json
index 843ba3bc0..4ab3ba3cd 100644
--- a/core/wallet-user-rpc-client/src/openrpc.json
+++ b/core/wallet-user-rpc-client/src/openrpc.json
@@ -119,6 +119,49 @@
             },
             "description": "Returns full network configuration including auth details. Admin only."
         },
+        {
+            "name": "selfSignedAccessToken",
+            "params": [
+                {
+                    "name": "params",
+                    "schema": {
+                        "title": "SelfSignedAccessTokenParams",
+                        "type": "object",
+                        "additionalProperties": false,
+                        "properties": {
+                            "networkId": {
+                                "title": "networkId",
+                                "type": "string",
+                                "description": "Network ID"
+                            },
+                            "clientId": {
+                                "title": "clientId",
+                                "type": "string",
+                                "description": "Client ID used as the JWT subject"
+                            }
+                        },
+                        "required": ["networkId", "clientId"]
+                    }
+                }
+            ],
+            "result": {
+                "name": "result",
+                "schema": {
+                    "title": "SelfSignedAccessTokenResult",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "accessToken": {
+                            "title": "accessToken",
+                            "type": "string",
+                            "description": "Self-signed JWT access token"
+                        }
+                    },
+                    "required": ["accessToken"]
+                }
+            },
+            "description": "Mints a self-signed access token using server-side network credentials. Used for login on self-signed networks."
+        },
         {
             "name": "addIdp",
             "description": "Adds a new identity provider.",
diff --git a/docs/dapp-building/wallet-gateway/apis/index.md b/docs/dapp-building/wallet-gateway/apis/index.md
index 1a3e342d9..6fb2d9152 100644
--- a/docs/dapp-building/wallet-gateway/apis/index.md
+++ b/docs/dapp-building/wallet-gateway/apis/index.md
@@ -31,28 +31,29 @@ The User API enables users to manage their wallets, configure networks, manage i
 
 **Methods:**
 
-| Category           | Method                 | Description                                                         |
-| ------------------ | ---------------------- | ------------------------------------------------------------------- |
-| Sessions           | `addSession()`         | Create a new session (unauthenticated, used for initial connection) |
-|                    | `removeSession()`      | End the current session                                             |
-|                    | `listSessions()`       | List sessions for the current user                                  |
-| Networks           | `listNetworks()`       | List configured networks (public metadata only, no auth secrets)    |
-|                    | `getNetwork()`         | Get full network configuration including auth (admin only)          |
-|                    | `addNetwork()`         | Add a new network configuration                                     |
-|                    | `removeNetwork()`      | Remove a network configuration                                      |
-| Identity Providers | `listIdps()`           | List all identity providers                                         |
-|                    | `addIdp()`             | Add a new identity provider                                         |
-|                    | `removeIdp()`          | Remove an identity provider                                         |
-| Wallets            | `createWallet()`       | Create a new wallet (party) on a network                            |
-|                    | `listWallets()`        | List all wallets for the current user                               |
-|                    | `setPrimaryWallet()`   | Set the primary wallet                                              |
-|                    | `removeWallet()`       | Remove a wallet                                                     |
-|                    | `syncWallets()`        | Sync wallets with the ledger                                        |
-|                    | `isWalletSyncNeeded()` | Check if wallet sync is needed                                      |
-| Transactions       | `sign()`               | Sign a transaction                                                  |
-|                    | `execute()`            | Execute a signed transaction                                        |
-|                    | `getTransaction()`     | Get a transaction by ID                                             |
-|                    | `listTransactions()`   | List transactions                                                   |
+| Category           | Method                    | Description                                                         |
+| ------------------ | ------------------------- | ------------------------------------------------------------------- |
+| Sessions           | `addSession()`            | Create a new session (unauthenticated, used for initial connection) |
+|                    | `removeSession()`         | End the current session                                             |
+|                    | `listSessions()`          | List sessions for the current user                                  |
+| Networks           | `listNetworks()`          | List configured networks (public metadata only, no auth secrets)    |
+|                    | `getNetwork()`            | Get full network configuration including auth (admin only)          |
+|                    | `selfSignedAccessToken()` | Mint a self-signed JWT for login (unauthenticated)                  |
+|                    | `addNetwork()`            | Add a new network configuration                                     |
+|                    | `removeNetwork()`         | Remove a network configuration                                      |
+| Identity Providers | `listIdps()`              | List all identity providers                                         |
+|                    | `addIdp()`                | Add a new identity provider                                         |
+|                    | `removeIdp()`             | Remove an identity provider                                         |
+| Wallets            | `createWallet()`          | Create a new wallet (party) on a network                            |
+|                    | `listWallets()`           | List all wallets for the current user                               |
+|                    | `setPrimaryWallet()`      | Set the primary wallet                                              |
+|                    | `removeWallet()`          | Remove a wallet                                                     |
+|                    | `syncWallets()`           | Sync wallets with the ledger                                        |
+|                    | `isWalletSyncNeeded()`    | Check if wallet sync is needed                                      |
+| Transactions       | `sign()`                  | Sign a transaction                                                  |
+|                    | `execute()`               | Execute a signed transaction                                        |
+|                    | `getTransaction()`        | Get a transaction by ID                                             |
+|                    | `listTransactions()`      | List transactions                                                   |
 
 **Authentication:**
 
@@ -61,6 +62,7 @@ Most User API methods require authentication via JWT token. However, the followi
 - `addSession()`
 - `listNetworks()`
 - `listIdps()`
+- `selfSignedAccessToken()`
 
 **Full API Specification:**
 
diff --git a/wallet-gateway/remote/src/init.ts b/wallet-gateway/remote/src/init.ts
index 54b74220b..181ff36ac 100644
--- a/wallet-gateway/remote/src/init.ts
+++ b/wallet-gateway/remote/src/init.ts
@@ -330,6 +330,7 @@ export async function initialize(opts: CliOptions, logger: Logger) {
             'listNetworks',
             'listIdps',
             'getUser',
+            'selfSignedAccessToken',
         ],
     }
 
diff --git a/wallet-gateway/remote/src/user-api/controller.ts b/wallet-gateway/remote/src/user-api/controller.ts
index 147a42f32..af6ed7695 100644
--- a/wallet-gateway/remote/src/user-api/controller.ts
+++ b/wallet-gateway/remote/src/user-api/controller.ts
@@ -34,6 +34,8 @@ import {
     GetUserResult,
     GetNetworkParams,
     GetNetworkResult,
+    SelfSignedAccessTokenParams,
+    SelfSignedAccessTokenResult,
     Network as ApiNetwork,
     PublicNetwork,
 } from './rpc-gen/typings.js'
@@ -189,6 +191,39 @@ export const userController = (
             const network = await store.getNetwork(params.networkId)
             return { network: toApiNetwork(network) }
         },
+        selfSignedAccessToken: async (
+            params: SelfSignedAccessTokenParams
+        ): Promise<SelfSignedAccessTokenResult> => {
+            const network = (await store.listNetworks()).find(
+                (n) => n.id === params.networkId
+            )
+            if (!network) {
+                throw new Error(`Network "${params.networkId}" not found`)
+            }
+            const auth = network.auth
+
+            if (auth.method !== 'self_signed') {
+                throw new Error(
+                    'Network does not use self_signed authentication'
+                )
+            }
+
+            const accessToken = await new AuthTokenProvider(
+                {
+                    method: 'self_signed',
+                    issuer: auth.issuer,
+                    credentials: {
+                        clientId: params.clientId,
+                        clientSecret: auth.clientSecret,
+                        scope: auth.scope,
+                        audience: auth.audience,
+                    },
+                },
+                logger
+            ).getAccessToken()
+
+            return { accessToken }
+        },
         addIdp: async (params: AddIdpParams) => {
             assertAdmin()
             const validatedIdp = idpSchema.parse(params.idp)
diff --git a/wallet-gateway/remote/src/user-api/rpc-gen/index.ts b/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
index ed9f3a82b..8e263c76a 100644
--- a/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
+++ b/wallet-gateway/remote/src/user-api/rpc-gen/index.ts
@@ -5,6 +5,7 @@ import { AddNetwork } from './typings.js'
 import { RemoveNetwork } from './typings.js'
 import { ListNetworks } from './typings.js'
 import { GetNetwork } from './typings.js'
+import { SelfSignedAccessToken } from './typings.js'
 import { AddIdp } from './typings.js'
 import { RemoveIdp } from './typings.js'
 import { ListIdps } from './typings.js'
@@ -34,6 +35,7 @@ export type Methods = {
     removeNetwork: RemoveNetwork
     listNetworks: ListNetworks
     getNetwork: GetNetwork
+    selfSignedAccessToken: SelfSignedAccessToken
     addIdp: AddIdp
     removeIdp: RemoveIdp
     listIdps: ListIdps
@@ -65,6 +67,7 @@ function buildController(methods: Methods) {
         removeNetwork: methods.removeNetwork,
         listNetworks: methods.listNetworks,
         getNetwork: methods.getNetwork,
+        selfSignedAccessToken: methods.selfSignedAccessToken,
         addIdp: methods.addIdp,
         removeIdp: methods.removeIdp,
         listIdps: methods.listIdps,
diff --git a/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts b/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
index 802879f09..cdfbe658d 100644
--- a/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
+++ b/wallet-gateway/remote/src/user-api/rpc-gen/typings.ts
@@ -79,23 +79,6 @@ export interface Network {
     adminAuth?: Auth
     ledgerApi: LedgerApi
 }
-/**
- *
- * Network metadata exposed by listNetworks without sensitive auth configuration
- *
- */
-export interface PublicNetwork {
-    id: NetworkId
-    name: Name
-    description: Description
-    synchronizerId?: SynchronizerId
-    identityProviderId: IdentityProviderId
-    ledgerApi: LedgerApi
-    authMethod: Method
-    clientId?: ClientId
-    scope?: Scope
-    audience?: Audience
-}
 /**
  *
  * Ledger api url
@@ -195,8 +178,36 @@ export type MessageId = string
  */
 export type Signature = string
 export type SignedBy = string
-export type Networks = Network[]
-export type PublicNetworks = PublicNetwork[]
+/**
+ *
+ * Authentication method configured for this network
+ *
+ */
+export type AuthMethod = string
+/**
+ *
+ * Network metadata exposed by listNetworks without sensitive auth configuration
+ *
+ */
+export interface PublicNetwork {
+    id: NetworkId
+    name: Name
+    description: Description
+    synchronizerId?: SynchronizerId
+    identityProviderId: IdentityProviderId
+    ledgerApi: LedgerApi
+    authMethod: AuthMethod
+    clientId?: ClientId
+    scope?: Scope
+    audience?: Audience
+}
+export type Networks = PublicNetwork[]
+/**
+ *
+ * The access token for the session.
+ *
+ */
+export type AccessToken = string
 export type Idps = Idp[]
 /**
  *
@@ -366,12 +377,6 @@ export interface MessageRaw {
     signature?: Signature
 }
 export type Messages = MessageRaw[]
-/**
- *
- * The access token for the session.
- *
- */
-export type AccessToken = string
 export type UserLevelRight = any
 /**
  *
@@ -443,6 +448,13 @@ export interface AddNetworkParams {
 export interface RemoveNetworkParams {
     networkName: NetworkName
 }
+export interface GetNetworkParams {
+    networkId: NetworkId
+}
+export interface SelfSignedAccessTokenParams {
+    networkId: NetworkId
+    clientId: ClientId
+}
 export interface AddIdpParams {
     idp: Idp
 }
@@ -502,14 +514,14 @@ export interface DeleteTransactionParams {
  */
 export type Null = null
 export interface ListNetworksResult {
-    networks: PublicNetworks
-}
-export interface GetNetworkParams {
-    networkId: NetworkId
+    networks: Networks
 }
 export interface GetNetworkResult {
     network: Network
 }
+export interface SelfSignedAccessTokenResult {
+    accessToken: AccessToken
+}
 export interface ListIdpsResult {
     idps: Idps
 }
@@ -605,6 +617,9 @@ export type AddNetwork = (params: AddNetworkParams) => Promise<Null>
 export type RemoveNetwork = (params: RemoveNetworkParams) => Promise<Null>
 export type ListNetworks = () => Promise<ListNetworksResult>
 export type GetNetwork = (params: GetNetworkParams) => Promise<GetNetworkResult>
+export type SelfSignedAccessToken = (
+    params: SelfSignedAccessTokenParams
+) => Promise<SelfSignedAccessTokenResult>
 export type AddIdp = (params: AddIdpParams) => Promise<Null>
 export type RemoveIdp = (params: RemoveIdpParams) => Promise<Null>
 export type ListIdps = () => Promise<ListIdpsResult>
diff --git a/wallet-gateway/remote/src/user-api/server.test.ts b/wallet-gateway/remote/src/user-api/server.test.ts
index cd466f02f..428e297a2 100644
--- a/wallet-gateway/remote/src/user-api/server.test.ts
+++ b/wallet-gateway/remote/src/user-api/server.test.ts
@@ -62,3 +62,45 @@ test('call listNetworks rpc', async () => {
         expect(network).toHaveProperty('authMethod')
     }
 })
+
+test('selfSignedAccessToken rpc', async () => {
+    const drivers = {}
+    const app = express()
+    app.use(cors())
+    app.use(express.json())
+
+    const { publicUrl } = deriveUrls(config)
+    const response = await request(
+        user(
+            '/api/v0/user',
+            app,
+            pino(sink()),
+            config.kernel,
+            publicUrl,
+            notificationService,
+            drivers,
+            store
+        )
+    )
+        .post('/api/v0/user')
+        .send({
+            jsonrpc: '2.0',
+            id: 1,
+            method: 'selfSignedAccessToken',
+            params: {
+                networkId: 'canton:local-self-signed',
+                clientId: 'test-user',
+            },
+        })
+        .set('Accept', 'application/json')
+
+    expect(response.statusCode).toBe(200)
+    const { accessToken } = response.body.result
+    expect(typeof accessToken).toBe('string')
+
+    const payload = JSON.parse(
+        Buffer.from(accessToken.split('.')[1], 'base64url').toString()
+    )
+    expect(payload.sub).toBe('test-user')
+    expect(payload.iss).toBe('self-signed')
+})
diff --git a/wallet-gateway/remote/src/web/frontend/login/login.ts b/wallet-gateway/remote/src/web/frontend/login/login.ts
index e5cb4c64f..12ec82dc0 100644
--- a/wallet-gateway/remote/src/web/frontend/login/login.ts
+++ b/wallet-gateway/remote/src/web/frontend/login/login.ts
@@ -12,10 +12,6 @@ import {
     WgLoginForm,
     toRelHref,
 } from '@canton-network/core-wallet-ui-components'
-import {
-    AuthTokenProvider,
-    ClientCredentials,
-} from '@canton-network/core-wallet-auth'
 import { createUserClient } from '../rpc-client'
 import { PublicNetwork, Idp } from '@canton-network/core-wallet-user-rpc-client'
 import { stateManager } from '../state-manager'
@@ -111,12 +107,7 @@ export class LoginUI extends BaseElement {
 
         try {
             if (selectedIdp.type === 'self_signed') {
-                await this.selfSign({
-                    clientId,
-                    clientSecret: '',
-                    scope: selectedNetwork.scope ?? '',
-                    audience: selectedNetwork.audience ?? '',
-                } as ClientCredentials)
+                await this.selfSign(selectedNetwork.id, clientId)
                 redirectToIntendedOrDefault()
                 return
             }
@@ -185,21 +176,22 @@ export class LoginUI extends BaseElement {
         }
     }
 
-    protected async selfSign(credentials: ClientCredentials) {
-        const token_provider = new AuthTokenProvider(
-            { method: 'self_signed', issuer: 'unsafe-auth', credentials },
-            console
+    protected async selfSign(networkId: string, clientId: string) {
+        const userClient = await createUserClient(
+            stateManager.accessToken.get()
         )
-        const access_token = await token_provider.getAccessToken()
+        const { accessToken } = await userClient.request({
+            method: 'selfSignedAccessToken',
+            params: { networkId, clientId },
+        })
 
-        const payload = JSON.parse(atob(access_token.split('.')[1]))
+        const payload = JSON.parse(atob(accessToken.split('.')[1]))
         stateManager.expirationDate.set(
             new Date(payload.exp * 1000).toISOString()
         )
-        stateManager.accessToken.set(access_token)
+        stateManager.accessToken.set(accessToken)
 
-        const networkId = stateManager.networkId.get() || ''
-        addUserSession(access_token, networkId)
+        addUserSession(accessToken, networkId)
     }
 
     protected render() {
diff --git a/wallet-gateway/remote/src/web/frontend/networks/review/index.ts b/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
index a080c8d78..944408983 100644
--- a/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
+++ b/wallet-gateway/remote/src/web/frontend/networks/review/index.ts
@@ -12,9 +12,11 @@ import {
     toRelHref,
     toRelPath,
 } from '@canton-network/core-wallet-ui-components'
-import { Auth as ApiAuth } from '@canton-network/core-wallet-user-rpc-client'
+import {
+    Auth as ApiAuth,
+    Network,
+} from '@canton-network/core-wallet-user-rpc-client'
 import { Auth } from '@canton-network/core-wallet-auth'
-import { Network } from '@canton-network/core-wallet-store'
 import { createUserClient } from '../../rpc-client'
 import { stateManager } from '../../state-manager'
 import '../../index'
@@ -69,12 +71,7 @@ export class UserUiReviewNetwork extends BaseElement {
                 method: 'getNetwork',
                 params: { networkId },
             })
-
-            const apiNetwork = result.network
-            this.network = {
-                ...apiNetwork,
-                ledgerApi: { baseUrl: apiNetwork.ledgerApi },
-            }
+            this.network = result.network
         } catch (error) {
             handleErrorToast(error)
             this.navigateBack()

From 6efd058146bd3526af7a09260eaab17bd9d3c353 Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Tue, 26 May 2026 10:29:23 +0200
Subject: [PATCH 3/6] minor adjustments

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 .../remote/src/user-api/controller.ts         | 16 +++++++-
 .../remote/src/user-api/server.test.ts        | 40 ++++++++++++++++++-
 .../remote/src/web/frontend/login/login.ts    |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/wallet-gateway/remote/src/user-api/controller.ts b/wallet-gateway/remote/src/user-api/controller.ts
index af6ed7695..c114a6788 100644
--- a/wallet-gateway/remote/src/user-api/controller.ts
+++ b/wallet-gateway/remote/src/user-api/controller.ts
@@ -208,10 +208,24 @@ export const userController = (
                 )
             }
 
+            const idp = (await store.listIdps()).find(
+                (idp) => idp.id === network.identityProviderId
+            )
+            if (!idp) {
+                throw new Error(
+                    `Identity provider "${network.identityProviderId}" not found`
+                )
+            }
+            if (idp.type !== 'self_signed') {
+                throw new Error(
+                    'Identity provider is not configured for self_signed authentication'
+                )
+            }
+
             const accessToken = await new AuthTokenProvider(
                 {
                     method: 'self_signed',
-                    issuer: auth.issuer,
+                    issuer: idp.issuer,
                     credentials: {
                         clientId: params.clientId,
                         clientSecret: auth.clientSecret,
diff --git a/wallet-gateway/remote/src/user-api/server.test.ts b/wallet-gateway/remote/src/user-api/server.test.ts
index 428e297a2..2225864b3 100644
--- a/wallet-gateway/remote/src/user-api/server.test.ts
+++ b/wallet-gateway/remote/src/user-api/server.test.ts
@@ -7,6 +7,7 @@ import cors from 'cors'
 import express from 'express'
 import request from 'supertest'
 import { user } from './server.js'
+import { jwtAuthService } from '../auth/jwt-auth-service.js'
 import { StoreInternal } from '@canton-network/core-wallet-store-inmemory'
 import { ConfigUtils, deriveUrls } from '../config/ConfigUtils.js'
 import { NotificationService } from '../notification/NotificationService.js'
@@ -102,5 +103,42 @@ test('selfSignedAccessToken rpc', async () => {
         Buffer.from(accessToken.split('.')[1], 'base64url').toString()
     )
     expect(payload.sub).toBe('test-user')
-    expect(payload.iss).toBe('self-signed')
+    expect(payload.iss).toBe('unsafe-auth')
+})
+
+test('selfSignedAccessToken token is accepted by jwt auth', async () => {
+    const authService = jwtAuthService(store, pino(sink()))
+    const app = express()
+    app.use(cors())
+    app.use(express.json())
+
+    const { publicUrl } = deriveUrls(config)
+    const mintResponse = await request(
+        user(
+            '/api/v0/user',
+            app,
+            pino(sink()),
+            config.kernel,
+            publicUrl,
+            notificationService,
+            {},
+            store
+        )
+    )
+        .post('/api/v0/user')
+        .send({
+            jsonrpc: '2.0',
+            id: 2,
+            method: 'selfSignedAccessToken',
+            params: {
+                networkId: 'canton:local-self-signed',
+                clientId: 'test-user',
+            },
+        })
+
+    const accessToken = mintResponse.body.result.accessToken
+    const context = await authService.verifyToken(`Bearer ${accessToken}`)
+
+    expect(context?.userId).toBe('test-user')
+    expect(context?.accessToken).toBe(accessToken)
 })
diff --git a/wallet-gateway/remote/src/web/frontend/login/login.ts b/wallet-gateway/remote/src/web/frontend/login/login.ts
index 12ec82dc0..4798780b0 100644
--- a/wallet-gateway/remote/src/web/frontend/login/login.ts
+++ b/wallet-gateway/remote/src/web/frontend/login/login.ts
@@ -191,7 +191,7 @@ export class LoginUI extends BaseElement {
         )
         stateManager.accessToken.set(accessToken)
 
-        addUserSession(accessToken, networkId)
+        await addUserSession(accessToken, networkId)
     }
 
     protected render() {

From 6884ff0828bcded45c7dba8b8eddbb08cd95ad6b Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Tue, 26 May 2026 11:05:38 +0200
Subject: [PATCH 4/6] renaming

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 wallet-gateway/remote/src/user-api/controller.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/wallet-gateway/remote/src/user-api/controller.ts b/wallet-gateway/remote/src/user-api/controller.ts
index c114a6788..974e58c02 100644
--- a/wallet-gateway/remote/src/user-api/controller.ts
+++ b/wallet-gateway/remote/src/user-api/controller.ts
@@ -189,7 +189,7 @@ export const userController = (
         ): Promise<GetNetworkResult> => {
             assertAdmin()
             const network = await store.getNetwork(params.networkId)
-            return { network: toApiNetwork(network) }
+            return { network: toNetworkDto(network) }
         },
         selfSignedAccessToken: async (
             params: SelfSignedAccessTokenParams
@@ -1128,7 +1128,7 @@ export const userController = (
     })
 }
 
-function toApiAuth(auth: Auth): ApiNetwork['auth'] {
+function toAuthDto(auth: Auth): ApiNetwork['auth'] {
     const base = {
         method: auth.method,
         audience: auth.audience,
@@ -1154,7 +1154,7 @@ function toApiAuth(auth: Auth): ApiNetwork['auth'] {
     return base
 }
 
-function toApiNetwork(network: Network): ApiNetwork {
+function toNetworkDto(network: Network): ApiNetwork {
     return {
         id: network.id,
         name: network.name,
@@ -1162,9 +1162,9 @@ function toApiNetwork(network: Network): ApiNetwork {
         synchronizerId: network.synchronizerId,
         identityProviderId: network.identityProviderId,
         ledgerApi: network.ledgerApi.baseUrl,
-        auth: toApiAuth(network.auth),
+        auth: toAuthDto(network.auth),
         ...(network.adminAuth
-            ? { adminAuth: toApiAuth(network.adminAuth) }
+            ? { adminAuth: toAuthDto(network.adminAuth) }
             : {}),
     }
 }

From a2ed9c873788584bcece6e43524411927ab71a47 Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Tue, 26 May 2026 13:11:51 +0200
Subject: [PATCH 5/6] types

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 core/wallet-ui-components/src/components/login-form.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/wallet-ui-components/src/components/login-form.ts b/core/wallet-ui-components/src/components/login-form.ts
index d0278d5ab..cd6e1e254 100644
--- a/core/wallet-ui-components/src/components/login-form.ts
+++ b/core/wallet-ui-components/src/components/login-form.ts
@@ -214,7 +214,7 @@ export class WgLoginForm extends BaseElement {
             )?.value || this.selectedNetwork.clientId
 
         this.dispatchEvent(
-            new LoginConnectEvent(this.selectedNetwork, idp, clientId)
+            new LoginConnectEvent(this.selectedNetwork, idp, clientId || '')
         )
     }
 

From 52a36dae93bde73d38fc4462c0ea893642e5364f Mon Sep 17 00:00:00 2001
From: Marc Juchli <marc.juchli@digitalasset.com>
Date: Tue, 26 May 2026 13:40:47 +0200
Subject: [PATCH 6/6] fix test

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>
---
 core/wallet-store-inmemory/src/StoreInternal.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/wallet-store-inmemory/src/StoreInternal.ts b/core/wallet-store-inmemory/src/StoreInternal.ts
index 7c2d84c85..c5dc52484 100644
--- a/core/wallet-store-inmemory/src/StoreInternal.ts
+++ b/core/wallet-store-inmemory/src/StoreInternal.ts
@@ -375,7 +375,6 @@ export class StoreInternal implements Store, AuthAware<StoreInternal> {
     }
 
     async listIdps(): Promise<Array<Idp>> {
-        this.assertConnected()
         return this.systemStorage.idps
     }