# API Basics source: https://developer.mastercard.com/business-payment-controls/documentation/api-basics/index.md ## API security {#api-security} The section provides introductory information for integrating your application with the Business Payment Controls API. ### Client authentication {#client-authentication} Mastercard uses OAuth 1.0a for authenticating your application. You can manage your authentication keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) after you create a project using Business Payment Controls. Tip: Do you want to learn more about the authentication scheme Mastercard uses? Read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) guide. ## How to Consume the Business Payment Controls API {#how-to-consume-the-business-payment-controls-api} Note: There are multiple ways of integrating with Business Payment Controls: 1. Using a generated API client (recommended) 2. Using a method of your choice ### Generating your own Business Payment Controls API client {#generating-your-own-business-payment-controls-api-client} Create customizable API clients from the Business Payment Controls API specification. This approach offers more flexibility and is strongly recommended. For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with the [business-payment-controls-swagger.yaml](https://static.developer.mastercard.com/content/business-payment-controls/swagger/business-payment-controls-swagger.yaml) (213KB) API spec. ### Using a method of your choice {#using-a-method-of-your-choice} My Service exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests. Refer to the Business Payment Controls [Reference application](https://developer.mastercard.com/business-payment-controls/documentation/reference-app/index.md). ### Environment domains {#environment-domains} Mastercard provides a sandbox and a production environment. You should test your integration in a sandbox environment to validate its operation. After completing your testing in the Business Payment Controls sandbox, request access to the production environment to go live. Note: The Sandbox environment URL for all new Business Payment Controls customers has been updated to . Existing customers currently using will not be required to migrate, and this environment will continue to be fully supported. | Environment name | Description | Link | |------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| | Sandbox | The pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration testing prior to moving to production. | `https://sandbox.apiedge.mastercard.com/commercial` | | Production | The full production environment containing the latest production API release. | `https://apiedge.mastercard.com/commercial` | Access the environments using the following links: * Sandbox * Production ```xml https://sandbox.apiedge.mastercard.com/commercial ``` ```xml https://apiedge.mastercard.com/commercial ```