# API Basics source: https://developer.mastercard.com/consent-management/documentation/api-basics/index.md ## API Security {#api-security} ### Client Authentication {#client-authentication} The APIs are RESTful APIs with OAuth security. Your API requests must have an OAuth 1.0a Authorization Header for authentication. Mastercard uses OAuth 1.0a to authenticate your application. You can manage your authentication keys in the [Developer Dashboard](https://developer.mastercard.com/dashboard) after you create a project. Mastercard provides [client authentication libraries](https://github.com/Mastercard?q=oauth) in several languages that you can integrate with your project or use as a reference in your implementations: | | ![Java](https://static.developer.mastercard.com/content/consent-management/img/java.svg "Java") | ![C#](https://static.developer.mastercard.com/content/consent-management/img/csharp.svg "C Sharp") | ![Python](https://static.developer.mastercard.com/content/consent-management/img/python.svg "Python") | ![NodeJS](https://static.developer.mastercard.com/content/consent-management/img/nodejs.svg "NodeJS") | ![Go](https://static.developer.mastercard.com/content/consent-management/img/go.svg "GO") | | | | |----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---|---| | **Download/install** | [![](https://img.shields.io/maven-central/v/com.mastercard.developer/oauth1-signer.svg?style=flat&color=f99f1c&label=)](https://search.maven.org/artifact/com.mastercard.developer/oauth1-signer/) | [![](https://img.shields.io/nuget/v/Mastercard.Developer.OAuth1Signer.Core.svg?style=flat&color=f99f1c&label=)](https://www.nuget.org/packages/Mastercard.Developer.OAuth1Signer.RestSharpV2/) | [![](https://img.shields.io/pypi/v/mastercard-oauth1-signer.svg?style=flat&color=f99f1c&label=)](https://pypi.org/project/mastercard-oauth1-signer/) | [![](https://img.shields.io/npm/v/mastercard-oauth1-signer.svg?style=flat&color=f99f1c&label=)](https://www.npmjs.com/package/mastercard-oauth1-signer) | [![](https://img.shields.io/github/v/release/mastercard/oauth1-signer-go.svg?style=flat&color=f99f1c&label=)](https://github.com/Mastercard/oauth1-signer-go) | | | | | **View on GitHub** | [![](https://img.shields.io/github/stars/mastercard/oauth1-signer-java.svg?label=&style=social)](https://github.com/Mastercard/oauth1-signer-java) | [![](https://img.shields.io/github/stars/mastercard/oauth1-signer-csharp.svg?label=&style=social)](https://github.com/Mastercard/oauth1-signer-csharp) | [![](https://img.shields.io/github/stars/mastercard/oauth1-signer-python.svg?label=&style=social)](https://github.com/Mastercard/oauth1-signer-python) | [![](https://img.shields.io/github/stars/mastercard/oauth1-signer-nodejs.svg?label=&style=social)](https://github.com/Mastercard/oauth1-signer-nodejs) | [![](https://img.shields.io/github/stars/mastercard/oauth1-signer-go.svg?label=&style=social)](https://github.com/Mastercard/oauth1-signer-go) | | | | Generate the OAuth 1.0a Authorization Header using the appropriate Production Key and Consumer Key, signed using the Google Request Body Hash extension for OAuth. Your project page shows the Consumer Key, which you can copy using Actions \> Copy Consumer Key. Ensure you copy the Consumer Key shown under Production Keys, not Sandbox Keys. You can implement your own OAuth 1.0a header or use the relevant Mastercard OAuth libraries available on [GitHub](https://github.com/Mastercard). For guidance, you can refer to the README.md file.2157 For detailed information on using OAuth 1.0a with the APIs and generating Authorization Headers, see [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/). ### Transport Encryption {#transport-encryption} The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks. In addition to that, Consent Management uses JWE to provide end-to-end payload encryption to secure sensitive data like Personally Identifying Information (PII). These APIs are identified in the [API Reference](https://developer.mastercard.com/consent-management/documentation/api-reference/index.md). You can manage your encryption keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) (within the "Client Encryption Keys" section). ## How to consume the Consent Management API? {#how-to-consume-the-consent-management-api} Note: There are multiple ways of integrating with Consent Management: 1. Using a generated API client (recommended) 2. Using a method of your choice ### Generating your own Consent Management API client {#generating-your-own-consent-management-api-client} Create customizable API clients from the Consent Management API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended. For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with: The following API specification: [cbc-consent-spec.yaml](https://static.developer.mastercard.com/content/consent-management/swagger/cbc-consent-spec.yaml) (14KB) It is strongly recommended that you use Mastercard encryption libraries available on [GitHub](https://github.com/Mastercard) (e.g. [client-encryption-java](https://github.com/Mastercard/client-encryption-java), [client-encryption-python](https://github.com/Mastercard/client-encryption-python) etc). The encryption method takes a configuration object, which is described below: * Java * Python ```java String ENCRYPTION_KEY_FILENAME = "you-encryption-key.pem"; Certificate encryptionCertificate = EncryptionUtils.loadEncryptionCertificate( ENCRYPTION_KEY_FILENAME); JweConfig config = JweConfigBuilder.aJweEncryptionConfig() .withEncryptionCertificate(encryptionCertificate) .withEncryptionPath("$", "$") .withEncryptedValueFieldName("jweEncryptedData") .build(); ``` ```python ENCRYPTION_KEY_FILENAME = "your-encryption-key.pem" encryptConfig = FieldLevelEncryptionConfig({ "paths": { "$": { "toEncrypt": { "$": "$" }, "toDecrypt": {} } }, "encryptedValueFieldName": "jweEncryptedData", "encryptionCertificate": ENCRYPTION_KEY_FILENAME }) ``` ### Using a method of your choice {#using-a-method-of-your-choice} Consent Management exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client authentication](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) and [client encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#client-libraries) libraries for signing your requests and dealing with payload encryption. For that, please refer to the Consent Management [REST API Reference](https://developer.mastercard.com/consent-management/documentation/api-reference/index.md). ## Environments {#environments} ### Sandbox: {#sandbox} The Consent Management Sandbox environment is accessed through the free tier, seen below. Testing in sandbox is through a provided test card, which can be seen under the FAQ section of the documentation. Prior to receiving test Transaction Notifications, the test card must be enrolled using the Consent Management API. Consents and Transaction Notification APIs can be set up as one project in both Sandbox and Production. Please see more information on our tiered access below. Base URL for calling Sandbox endpoints: * Sandbox ```Sandbox https://sandbox.api.mastercard.com/openapis/authentication/consents/{card_ref} ```
### Production: {#production} Once testing with the test card has been completed in Sandbox, the Basic tier is accessible to enrol up to 10 cards in the Production environment. In this tier, any Mastercard can be used to complete testing. However, we suggest that you use card types that are in line with the cards you will most likely be enrolling. For example, if your use case is Expense Management, corporate Mastercard cards would be preferred for testing. Following this, for full access to the production environment, premium tier access will be needed. Base URL for calling Production endpoints: * Production ```Production https://api.mastercard.com/openapis/authentication/consents/{card-ref} ```
## API Status {#api-status} The Consent Mangement API has synthetic monitoring in place that is constantly checking that the API is up and functioning as expected. This information is made available publicly so that you can check the uptime and if there have been any recent issues with the product. Please check the [status page](https://developer.mastercard.com/api-status) for this information. ## Headers {#headers} With the exception of Authentication, the only required header is "**Content-Type** " which will be "**application/json**".