# API Basics
source: https://developer.mastercard.com/bs-creditor-api/documentation/api-basics/index.md

## Authentication {#authentication}

Warning: **Key Expiry:** Betalingsservice Creditor API Keys will expire after 1 year, you will have to generate a new set of keys when they expire. To do this, go to your project dashboard and under Credentials -\> Sandbox/Production select 'Add project key'.

|        **Authentication Protocol**         |                                                                                                                **Details**                                                                                                                 |
|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [OAuth 1.0a](https://oauth.net/core/1.0a/) | Mastercard uses OAuth 1.0a for authenticating the API clients. OAuth 1.0a is an authentication and authorization protocol that guarantees the integrity and authenticity of incoming API calls and allows for non-repudiation of requests. |

OAuth requires every request that you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of:

1. A **private key** for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore. Data encrypted using a public key can only be decrypted using the corresponding private key.
2. A **public key** is shared with Mastercard during the project setup process through either a certificate signing request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature that is provided on every API call.

* The OAuth keys for your project can be set up on your project dashboard here [Developer Dashboard](https://developer.mastercard.com/dashboard), after you create a project.

Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

## Environment Domains {#environment-domains}

The Betalingsservice Creditor API is available in the following environments.
* Sandbox
* Production

```Sandbox
https://mtf.oauth.payments.mastercard.dk/betalingsservice/bs-creditor-api-sandbox
```

```Production
https://oauth.payments.mastercard.dk/betalingsservice/bs-creditor-api
```

| **Environment** |                                         **Description**                                         |
|-----------------|-------------------------------------------------------------------------------------------------|
| Sandbox         | Early access environment containing limited-capability APIs to assist with initial integration. |
| Production      | Full production environment that contains the latest production API release.                    |