# API Basics
source: https://developer.mastercard.com/consumer-credit-analytics/documentation/api-basics/index.md

## API Security {#api-security}

### Client Authentication {#client-authentication}

Mastercard uses OAuth 1.0a for authenticating your application. You can manage your authentication keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) after you created a project using the Consumer Credit Analytics (CCA) API.
Tip: Do you want to learn more about the authentication scheme Mastercard uses? For more details, refer to the [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

### Encryption {#encryption}

In addition to the OAuth authentication, when using CCA, any PCI sensitive and all account holder Personally Identifiable Information (PII) data must be encrypted. Sensitive data is encrypted using a symmetric session (one-time-use) key. The symmetric session key is then wrapped with an RSA Public Key supplied by Mastercard during the API setup phase (the Customer Encryption Key). Since the request and response contains sensitive data, the request and response payload are encrypted using the JWE encryption scheme.

For further details, refer to [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/).

Refer to the [sample encrypted request and response](https://developer.mastercard.com/consumer-credit-analytics/tutorial/api-testing/step3/index.md#sample-encrypted-request-and-response/) section for more details.

### Encryption Libraries {#encryption-libraries}

Mastercard has abstracted the encryption scheme in the [client encryption libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#client-libraries) available in most used development languages. We highly recommend you utilize these libraries to encrypt the sensitive data used by this service.

You can use the following configuration for client encryption libraries in this service.

    JweConfig jweConfig = JweConfigBuilder.aJweEncryptionConfig()
    .withEncryptionCertificate(encryptionCertificate)
    .withEncryptionKeyFingerprint(encryptionKeyFingerprint)
    .withDecryptionKey(decryptionKey)
    .build();

## How to Consume the Consumer Credit Analytics (CCA) API? {#how-to-consume-the-consumer-credit-analytics-cca-api}

Note: There are multiple ways of integrating with the Consumer Credit Analytics (CCA) API.

1. Using a generated API client (recommended).
2. Using a method of your choice.

### Generating your own Consumer Credit Analytics API client {#generating-your-own-consumer-credit-analytics-api-client}

Create customizable API clients from the Consumer Credit Analytics API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended.

For this, follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/generating-and-configuring-a-mastercard-api-client/) tutorial with:

* The following API specification: [consumer-credit-analytics.yaml](https://static.developer.mastercard.com/content/consumer-credit-analytics/swagger/consumer-credit-analytics.yaml) (17KB)
* The [Reference App](https://developer.mastercard.com/consumer-credit-analytics/documentation/reference-app/index.md) shows a typical usage of the Consumer Credit Analytics API. We strongly recommend you use our Reference App to consume this API.

### Using a method of your choice {#using-a-method-of-your-choice}

The Consumer Credit Analytics API exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) for signing your requests.

For that, refer to the Consumer Credit Analytics API [REST API Reference](https://developer.mastercard.com/consumer-credit-analytics/documentation/api-reference/index.md).

## Environments {#environments}

The table below describes the two different environments that are available.

| **Environment** |                                                                                                                                                                         **Description**                                                                                                                                                                          |
|-----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Early access environment containing limited-capability mock APIs, intended to assist with the initial integration for new clients. The sandbox returns mock responses for a defined request. The samples can be used as a reference for sending requests and receiving responses. The Sandbox will only validate the length and data type of request parameters. |
| Production      | Full production environment containing the latest production API release. Once all testing has been completed and you are ready to go live, you should request access to the live production environment.                                                                                                                                                        |