# API Authentication

All API operations in UAT and Production require a Bearer access token specific
to the environment you're using. Ripple provides a secure model for authentication
and authorization by providing access tokens scoped for a set of credentials.

### Generate client ID and client secret

You will need your *client ID* and *client secret* to obtain an access token.

If you do not already have your client ID and client secret, do the following:

1. Log into the Ripple Collections UI.
2. In the left navigation menu, click **Settings**.
3. Under **Administration**, click **API Credentials**.
4. In the dropdown list next to the page title, select the access environment.
For example, to provision credentials for the test environment, select **Test**
from the dropdown list.
5. In the upper right corner of the page, click **New Credential**.
6. Click **Save and Generate Key**.


**Caution:** The *client secret* is displayed only once when you are creating
new credentials. You cannot retrieve the secret after exiting this page. Copy
and store the client secret securely and share it with authorized individuals
in accordance with your organization's security policy.

You can now use the client ID and client secret to generate access tokens using
the [Request an access token](/products/collections/api/collections/#operation/authenticate)
operation.

### Request an access token

To get an access token, use the [Request an access token](/products/collections/api/collections/#operation/authenticate)
operation with your `client_id` and `client_secret`. The response contains a token
in the `access_token` field.

We recommend rotating your API credentials at regular intervals according to your
organization's security policy.

**Note**: Authentication tokens are not a fixed length and can vary, avoid validating
tokens based on character length.