# API Basics source: https://developer.mastercard.com/automatic-billing-updater/documentation/api-basics/index.md ## API Security {#api-security} ### Client Authentication {#client-authentication} ##### Inbound APIs to ABU {#inbound-apis-to-abu} For API requests to ABU (Account Inquiries and Account Subscriptions), Mastercard uses OAuth 1.0a for authenticating your application. You can manage your authentication keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) after you created a project using Automatic Billing Updater (ABU). Diagram oauth10abasics Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide. ##### Outbound APIs from ABU {#outbound-apis-from-abu} For notifications of account updates, ABU uses MTLS authentication requiring a mutual TLS handshake protocol between the ABU Integrator and Mastercard Server.
Mastercard API gateway will present itself with the Mastercard certificate (signed by DigiCert). It will establish a TLS connection between one of the Mastercard IP addresses and the customer's server at the configured URL. If the customer does not accept the TLS connection, there will be a delivery failure on Mastercard's side and they will not be able to receive the payload. We recommend customers add Certificate Authorities (CAs) from DigiCert to their keystores. Diagram mtlsbasics More information on the DigiCert CAs can be found in [GLB 11023.1 Automatic Billing Updater API Migration to DigiCert Certificate Authority](https://techdocs.mastercard.com/bundle/m_an11023_en-us/). ### Transport Encryption {#transport-encryption} The transport between client applications and Mastercard is secured using [TLS/SSL](https://developer.mastercard.com/platform/documentation/authentication/using-mtls-to-access-mastercard-apis/), which means data are encrypted by default when transmitted across networks. Note: The TLS/SSL link above is for informational purposes only concerning TLS/MTLS. ABU customers do not need to follow the steps to getting MTLS Client certificates for their project, trusting certificates issued by DigCert will be sufficient. ## How to Consume the ABU API {#how-to-consume-the-abu-api} There are multiple ways of integrating with the Automatic Billing Updater (ABU) API: 1. Using a generated API client (recommended) 2. Using a method of your choice ### Generating your own ABU API client {#generating-your-own-abu-api-client} Create customizable API clients from the ABU API specification and let Mastercard's open-source client libraries handle the authentication for you. This approach offers the most flexibility and is strongly recommended. For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/generating-and-configuring-a-mastercard-api-client/) tutorial with the following API specification: [OpenAPI spec download](https://static.developer.mastercard.com/content/automatic-billing-updater/swagger/ABURestAPI.yaml) * Please ignore steps 5 and 7 as the ABU API does not currently have payload encryption. ### Using a method of your choice {#using-a-method-of-your-choice} Automatic Billing Updater (ABU) exposes RESTful APIs: you are free to use the HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests. For that, please refer to the [**ABU API Reference**](https://developer.mastercard.com/automatic-billing-updater/documentation/api-reference/index.md). ## Environments {#environments} The table below describes the two environments that are available. | **Environment** | **Description** | |-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | *In the sandbox environment a mock service is running that provides sample responses based on the value of the 'accountNumber'. To access Sandbox select ABU when setting up [My Projects](https://developer.mastercard.com/dashboard)* | | Production | *In production you can access the Push and/or Pull services depending on what you have onboarded for. To access production you need to select [Request Production Access](https://developer.mastercard.com/dashboard) in the ABU project you have setup.* |