# API Basics
source: https://developer.mastercard.com/bces-service/documentation/api-basics/index.md

## API Security {#api-security}

### Client Authentication {#client-authentication}

Mastercard uses one-legged [OAuth 1.0a](https://datatracker.ietf.org/doc/html/rfc5849) to authenticate and authorize client applications. To access Benefit Content eligibility Service API, you must authenticate your client applications. This means that you have to digitally sign every request sent to Mastercard, and only requests with valid signatures created by authorized clients can gain access to the Mastercard eligibility content service.

Requests containing a body must be signed using the [OAuth extension](https://tools.ietf.org/id/draft-eaton-oauth-bodyhash-00.html). OAuth Keys for your project can be set up in your [dashboard](https://developer.mastercard.com/dashboard).

Client authentication libraries can be found on [GitHub](https://github.com/Mastercard?&q=oauth), with how-to information provided in [readme.md](https://github.com/Mastercard/oauth1-signer-java/blob/main/README.md) files.

### OAuth keys \& authentication libraries {#oauth-keys--authentication-libraries}

Mastercard provides [client authentication libraries](https://github.com/Mastercard?q=oauth) in several languages you can integrate into your project or use as reference OAuth 1.0a implementations. To get started, simply add to your project the package matching your application development language.
Tip: OAuth 1.0a presents many edge cases that are easy to miss. We strongly encourage you to use existing OAuth libraries rather than implementing the specification yourself.

For further details, refer to [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/).

### Transport and payload encryption {#transport-and-payload-encryption}

The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) which means data is encrypted by default when transmitted across networks. In addition, since the API request contains PAN number, the request payload must be encrypted.

Information on request payload encryption can be found in JWE encryption section in [Payload encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/). Only the request payload is encrypted, the response is not encrypted as it does not contain any sensitive data.

## How to Consume the Mastercard Benefits Content Eligibility Service API? {#how-to-consume-the-mastercard-benefits-content-eligibility-service-api}

There are multiple ways of integrating with the Benefits Content Eligibility Service API:

1. Using a generated API client (recommended)
2. Generating your own API client

### Generating your own API client {#generating-your-own-api-client}

Create customizable API clients from the Benefits Content Eligibility Service API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers the more flexibility and is strongly recommended.

For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with:

* The following API specification: [eligibility-with-content-specs.yaml](https://static.developer.mastercard.com/content/bces-service/swagger/eligibility-with-content-specs.yaml) (13KB)

### Using a method of your choice {#using-a-method-of-your-choice}

Benefits Content Eligibility Service exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests.

For that, please refer to the Eligibility [REST API Reference](https://developer.mastercard.com/bces-service/documentation/api-reference/index.md).

## Environments {#environments}

| **Environment** |                                                                     **Description**                                                                      |
|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration prior to moving to production. |
| Production      | Full production environment containing the latest production API release.                                                                                |