> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ravn.exchange/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Model

> Non-custodial by design, with no bridges, no wrapping, and no synthetics.

RAVN is an **orchestration layer, not a custodian**. It finds routes and normalizes execution.
It never holds, wraps, or mints user funds.

## Non-custodial

* The user signs or sends directly to the venue. RAVN never takes custody of funds at any point
  in a swap.
* For `DEPOSIT` routes, the user sends the origin asset to a venue-generated address. For
  `SIGNATURE` and `TRANSACTION` routes, the user signs or broadcasts directly.

## No bridges, no wrapping, no synthetics

RAVN routes only through venues that settle in the canonical asset, which are RFQ market makers,
intent networks, and solver and relayer networks. There is no lock-and-mint bridge, no wrapped
token, and no synthetic anywhere in a RAVN route.

## Quote integrity

* Quotes are returned as an opaque, signed `quoteToken`. It is tamper-evident, so any
  modification of the amount, fee, or route invalidates it, and execution rejects it with
  `QUOTE_INVALID`.
* Quotes expire, and execution re-validates the expiry before building the transaction.

## Venue-enforced settlement

Each venue independently validates the economics and signatures of the order it settles. RAVN
never asks a user to sign anything the destination venue will not verify on its own.

## Gasless where it counts

On RFQ and gasless venues, the user needs zero native gas. They sign an off-chain message and a
solver covers execution. The user only ever needs the asset they are selling.

<Note>
  Reliability signal: [`GET /health`](/api-reference/health) reports live per-venue status, so
  integrators can surface degraded routing in real time.
</Note>
