# API Basics
source: https://developer.mastercard.com/community-pass-payment-apis/documentation/api-basics-old/index.md

The MCPP APIs is organized around [REST](https://en.wikipedia.org/wiki/Representational_state_transfer). Our API has predictable resource-oriented URLs, accepts form-encoded request bodies, returns [JSON-encoded](https://www.json.org/json-en.html) responses, and uses standard HTTP response codes, authentication, and verbs.

## Authentication {#authentication}

The MCPP APIs can be accessed through the Mastercard Developers API Gateway, which uses the [OAuth 1.0a](https://oauth.net/core/1.0a/) standard for access delegation.

**In short**

* Mastercard uses OAuth 1.0a for authenticating client applications
* Requests with a body must be signed using the Google Request Body Hash extension for OAuth
* OAuth Keys for your project can be set up in your dashboard
* Client authentication libraries can be found on [GitHub](https://github.com/Mastercard/oauth1-signer-java), with how-to information provided in `README.md` files

Refer to the following pages for more details:

* [Mastercard uses OAuth 1.0a for authenticating client applications](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#overview)
* [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/)

### Obtaining API keys {#obtaining-api-keys}

The API keys are available in your project dashboard on Mastercard Developers. You should use the Sandbox API keys for testing and development. A different set of keys are required for the Production environment.
Note: If you haven't downloaded the keys yet, refer to the [Getting Started](https://developer.mastercard.com/community-pass-payment-apis/documentation/getting-started/index.md) section.

## Encryption {#encryption}

The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data are encrypted by default when transmitted across networks. Where sensitive data like personally identifying information (PII) is sent, this is also encrypted using Mastercard's encryption scheme. For further details, please refer to [Securing Sensitive Data Using Payload Encryption](https://stage.developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/).

## Environment Descriptions {#environment-descriptions}

|  Environment   |                             Url                              |                                                                         Description                                                                         |
|----------------|--------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Sandbox**    | <https://sandbox.api.mastercard.com/community-pass/payments> | Sandbox is a production-like environment to interact with the MCPP APIs. At this stage, use the Sandbox keys generated during the project creation.         |
| **Production** | <https://api.mastercard.com/community-pass/payments>         | You can request for approval to obtain the Production keys. Once approved, you can proceed to complete Production testing prior to launching your solution. |