# Obtain a JSON web token (JWT)

Before you can use the API, you need a JWT to pass as a bearer token in the header of any request. You need to obtain a JWT the first time you use the API and whenever the token expires.

The default JWT expiration time is four hours.

## Obtain a token

The token is created using a standard challenge-response authentication approach.

### Prerequisites

Before you can obtain a JWT, you need the URL of the authorization server. This is normally the environment URL, preceded by `openid`, that is, `https://openid.{environment_URL}`.
For more information, contact [Ripple](/products/custody/v1.26/support/get-support).

To obtain a JWT:

1. Create any random string (a `challenge`).
2. Sign the challenge with the private key you generated in [Generate a key pair and share the public key](/products/custody/v1.26/api/get-started/register#generate-a-key-pair-and-share-the-public-key), in PEM format.
3. Submit the data to the authorization server, using the following API call, where `authURL` is the URL of the authorization server:

```sh
POST {authURL}/token
```
And a request body formatted as `application/x-www-form-urlencoded`, as follows:

```json
{
     "grant_type":"password",
     "client_id":"YOUR_CLIENT_ID",           // check with your system admin for the value
     "signature":"signature",
     "challenge":"challenge",
     "public_key":"pubkey"
}
```


For security reasons, you can only use a challenge once. For every new request, you must use a new challenge to create a new signature.

Upon successful execution, the API responds with the following:


```json
{
    "access_token":"eyJhbGci....-3HNQ"
}
```

The JWT contains encoded data on the requestor, that is, the public key of the requestor, which is used by Ripple Custody to identify the logged-in user. Additionally, it has an issuance timestamp and an expiration timestamp.