# Authentication

The Ripple Custody API includes the following authentication mechanisms:

- JSON web token (JWT): All Ripple Custody API calls must authenticate with a JWT passed as a bearer token in the request header.
- Digital signature: API calls that change the state of the system also require a digital signature.


## JWT

All API requests to the Ripple Custody backend, whether from the UI or from third parties, require authentication using a JWT passed as a bearer token in the request header.

Ripple provides a default OpenId Connect (OIDC) server that verifies the identity of the end user and issues a valid JWT.

The default JWT expiration time is four hours.

For more information, see [Authenticate API requests](/products/custody/v1.34/concepts/authenticate-api-requests).

## Digital signature

All user-requested changes to the Ripple Custody data require authorization with a digital signature.
Examples of such requests are:

- Creation of a new entity, such as a user or account
- Update of an existing entity
- Approval of an intent
- Rejection of an intent


For more information, see [Sign intents](/products/custody/v1.34/api/get-started/key-operations/update/intent-signature).

For key generation examples using OpenSSL in non-production environments, see [Generate keys and register](/products/custody/v1.34/concepts/generate-keys-register). For signing examples, see [Authenticate API requests](/products/custody/v1.34/concepts/authenticate-api-requests).