# API Security source: https://developer.mastercard.com/cross-border-services/documentation/api-basics/api-security/index.md ## Authentication {#authentication} To access Mastercard Cross-Border Services APIs, you will need to use [OAuth1.0A](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) as an authentication mechanism. Please see [Getting Started with APIs](https://developer.mastercard.com/cross-border-services/documentation/getting-started/index.md) for step by step instructions on how to setup. Alert: If you are a Customer contracted with MTS EU or MTS UK, you must use [OAuth2.0 Authorization Code flow](https://developer.mastercard.com/cross-border-services/documentation/oauth2-access-token-based-authentication-details/index.md) for Balance APIs [OAuth2.0 Request Token based flow](https://developer.mastercard.com/cross-border-services/documentation/oauth2-request-token-based-authentication-details/index.md) for all other APIs (except Balance API) as the authentication mechanism to ensure compliance with the relevant jurisdiction based Regulatory Technical Standards (either EU or UK) derived from the Revised Payment Services Directive (PSD2). Please proceed to [Getting Started with APIs using OAuth2.0](https://developer.mastercard.com/cross-border-services/documentation/getting-started-oauth2/index.md) for step by step instructions on how to setup. ## Payload Encryption {#payload-encryption} All the request payload sent by you to Mastercard must be encrypted. And you will need to decrypt the payload sent by Mastercard. For more detailed information on payload **Encryption or Decryption** , please see [here](https://developer.mastercard.com/cross-border-services/documentation/api-ref/encryption/index.md) Note: If you are a Customer contracted with MTS EU or MTS UK and using [OAuth2.0 Authorization Code flow](https://developer.mastercard.com/cross-border-services/documentation/oauth2-access-token-based-authentication-details/index.md) for Balance APIs and [OAuth2.0 Request Token based flow](https://developer.mastercard.com/cross-border-services/documentation/oauth2-request-token-based-authentication-details/index.md) for all APIs (except Balance API) as the authentication mechanism to ensure compliance with the relevant jurisdiction based Regulatory Technical Standards (either EU or UK) derived from the Revised Payment Services Directive (PSD2), encrypting the request payload is optional since there are other security measures adopted for OAuth2.0 flows. ## Project Keys {#project-keys} The following diagram shows the project keys that are used for authentication and encryption for each environment. ![](https://static.developer.mastercard.com/content/cross-border-services/documentation/images/SendXB_UpdatedProjectKeys.png) The following table summarizes the keys and describes how the keys are used. | Use Case Category | Description | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox Signing Key and Consumer Key ![](https://static.developer.mastercard.com/content/cross-border-services/documentation/api-basics/images/keys_icon_sandbox_signing.png) | Private keys used for API authentication with the Sandbox and MTF environments. Mastercard generates the initial set of keys when creating your project; you download the Signing Key via your browser. The project page shows the Consumer Key. If you want to generate and use your own keys, you can discard the Mastercard-generated keys and renew them using your Certificate Signing Request (CSR) file, by clicking **Actions \> Renew** next to the keys in the product page; see [How To Renew Your Project Keys](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/renewing-your-keys/). | | Production Signing Key and Consumer Key ![](https://static.developer.mastercard.com/content/cross-border-services/documentation/api-basics/images/keys_icon_production_signing.png) | Private keys used for API authentication with the Production environment. Mastercard can generate this key set for you when you request Production access; you download the Signing Key via your browser. Alternatively, we recommend that you generate your own keys and upload your CSR file. The project page shows the Consumer Key. | | Client Encryption Keys ![](https://static.developer.mastercard.com/content/cross-border-services/documentation/api-basics/images/keys_icon_client_encryption_v2.png) | An asymmetric key pair (public/private key pair for encryption/decryption). You use this key to encrypt the data to be sent to Mastercard. Mastercard generates the initial set of keys when creating your project. The public key will be downloaded via your browser and Mastercard will own the private key in this case. The public key/certificate can be also downloaded in pem format from your [Project page](https://developer.mastercard.com/dashboard) by clicking on the project and using the **Actions \> Download Encryption Key** under the Client Encryption Keys section. The Production key pair is generated when you request Production access. | | Mastercard Encryption Keys ![](https://static.developer.mastercard.com/content/cross-border-services/documentation/api-basics/images/keys_icon_mastercard_encryption.png) | An asymmetric key pair (public/private key pair for encryption/decryption). Mastercard uses this key to encrypt the data sent to you. The key pair will be downloaded via your browser. Mastercard generates the initial set of keys when creating your project. The Production key pair is generated when you request Production access. Mastercard doesn't know and never stores your private keys. Alternatively, we recommend that you generate your own keys and upload your CSR file. To do this, renew the Mastercard-generated keys using your CSR file, by clicking **Actions \> Renew** next to the keys in the product page; see [How To Renew Your Project Keys](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/renewing-your-keys/). | Once generated, most of these keys and their certificates will be accessible from your API project page, except for the private keys you generated offline.