# Authentication and Encryption
source: https://developer.mastercard.com/ethoca-consumer-clarity-for-merchants/documentation/api-basics/authentication-and-encryption/index.md

## Authentication {#authentication}

Every Merchant Transaction API request must be authorized. To allow for authorization, every sent request contains an HMAC signature header that is time-stamped and symmetric key-based.

Ethoca creates an API secret key and key ID, with an entropy that must be no less than 128 bits. The HMAC signature ensures that the API secret key and key ID are exchanged securely between you and Ethoca out-of-band.

The API key ID must be provided with every request, along with an HMAC signature header, in the following format:

`Authorization: ETHOCA-SHA1 KeyRef=<API Key_ID>,Signature=<base64UrlSafe_hmac_signature>`

For a tutorial on how to create a valid HMAC signature, refer to [How to Create an HMAC Signature](https://developer.mastercard.com/ethoca-consumer-clarity-for-merchants/documentation/tutorials-and-guides/how-to-create-hmac-signature/index.md).

## Encryption {#encryption}

The transport of data must be secured by encryption with the use of HTTPS. The use of HTTP without SSL/TLS isn't supported.

## Information Security {#information-security}

Responses to API requests may include personally identifiable information (PII). Ethoca classifies this data as "Regulated-Classified". Consistent with Ethoca's policy on Applications and Systems Development and Maintenance, Ethoca requires that members/customers not deliver production data to the Sandbox environment at any time.

## Replay Mitigation {#replay-mitigation}

To reduce the risk of a replay attack, Ethoca strongly recommends validating the request timestamp to ensure it is within an acceptable timeframe -- for example, not older than one minute.

## See Also {#see-also}

To review the technical requirements for implementing Ethoca's Merchant Transaction API, review [API Request/Response Common Elements and Headers](https://developer.mastercard.com/ethoca-consumer-clarity-for-merchants/documentation/api-basics/common-elements-headers/index.md).

## Next Steps {#next-steps}

Now that you have an understanding of the service's authentication and encryption, proceed to [Getting Started](https://developer.mastercard.com/ethoca-consumer-clarity-for-merchants/documentation/getting-started/index.md) to learn how to access the API and generate your credentials.