# API Basics
source: https://developer.mastercard.com/eligibility-api/documentation/api-basics/index.md

## API Security {#api-security}

### Client Authentication {#client-authentication}

Mastercard uses one-legged [OAuth 1.0a](https://datatracker.ietf.org/doc/html/rfc5849)for authenticating and authorizing client applications. To access Mastercard Eligibility APIs, you must authenticate your client applications. It means every request sent to us must be digitally signed, and only requests with valid signatures created by authorized clients are granted access to Mastercard Eligibility service. OAuth Keys for your project can be set up in your [dashboard](https://developer.mastercard.com/dashboard).

### Transport Encryption {#transport-encryption}

Note: Only the /card-identifiers endpoint have payload encryption enabled, and the others do not.

The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data are encrypted by default when transmitted across networks.

In addition to that, Mastercard Eligiblity Service uses JWE to provide end-to-end payload encryption to secure sensitive data like card number (PCI). You can manage your encryption keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard).
Tip: Do you want to learn more about the authentication and encryption schemes Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) and [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/) guides.

Mastercard provides open-source [client authentication libraries](https://github.com/Mastercard?q=oauth) in several languages you can integrate into your project or use as reference OAuth 1.0a implementations. To get started, simply add to your project the package matching your application development language.


Key Encryption Algorithm : RSA_OAEP_256


Content Encryption Algorithm : A256GCM
Tip: OAuth 1.0a presents many edge cases that are easy to miss. We strongly encourage you to use existing OAuth libraries rather than implementing the specification yourself.

## How to Consume the Eligibility/Token API? {#how-to-consume-the-eligibilitytoken-api}

There two ways of integrating with the Eligibility API:

1. Using a generated API client (recommended)
2. Using a method of your choice

### Generating your own API client {#generating-your-own-api-client}

Create customizable API clients from the Eligibility API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers the more flexibility and is strongly recommended.

For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with our API specification:
[eligibility-spec.yaml](https://static.developer.mastercard.com/content/eligibility-api/swagger/eligibility-spec.yaml) (34KB)

### Using a method of your choice {#using-a-method-of-your-choice}

Eligibility exposes a REST API. You are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests.

For that, please refer to the Eligibility [REST API Reference](https://developer.mastercard.com/eligibility-api/documentation/api-reference/index.md).

## Environments {#environments}

| **Environment** |                                                                     **Description**                                                                      |
|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration prior to moving to production. |
| Production      | Full production environment containing the latest production API release.                                                                                |