# Authentication

The Ripple Custody API includes the following authentication mechanisms:

- JSON web token (JWT): All Ripple Custody API calls must authenticate with a JWT passed as a bearer token in the request header.
- Digital signature: API calls that change the state of the system also require a digital signature.


## JWT

All API requests to the Ripple Custody backend, whether from the UI or from third parties, require authentication using a JWT passed as a bearer token in the request header.

Ripple provides a default OpenId Connect (OIDC) server that verifies the identity of the end user and issues a valid JWT.

The default JWT expiration time is four hours.

For more information, see [Obtain a JSON web token](/products/custody/v1.26/api/get-started/jwt).

## Digital signature

All user-requested changes to the Ripple Custody data require authorization with a digital signature.
Examples of such requests are:

- Creation of a new entity, such as a user or account
- Update of an existing entity
- Approval of an intent
- Rejection of an intent


For more information, see [Sign intents](/products/custody/v1.26/api/get-started/key-operations/update/intent-signature).

To try out key generation and signature in Ripple Custody using OpenSSL in a non-production environment, see [OpenSSL examples](/products/custody/v1.26/resources/openssl-examples).