# SOAP API Basics source: https://developer.mastercard.com/iccp/documentation/api_basics/soap_api_basics/index.md > The section provides introductory information for integrating your application with the ICCP API. ## API Protocol {#api-protocol} The ICCP API uses HTTP POST requests to communicate and HTTP response codes to indicate status and errors. * All requests and responses are in SOAP/XML format. To ensure data privacy, the API is served over HTTPS [TLS v1.2+](https://en.wikipedia.org/wiki/Transport_Layer_Security). * **All requests must include a `Content-Type` of `text/xml` and the requests body must be a valid SOAP/XML message.** * All requests must conform to the ICCP API schema defined in the WSDL and XSD files. These files are provided with the [Reference Application](https://developer.mastercard.com/iccp/documentation/ref_app_tutorials/reference-application/index.md). ## API Environments {#api-environments} Mastercard provides a sandbox and a production environment. You should test your integration in a sandbox environment to validate its operation. After completing your testing, request access to the production environment to go live. Access the environments using the following links: | Environment | Link | |-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | * Financial endpoint: `https://sandbox.api.mastercard.com/iccp/financial` * Reporting endpoint: `https://sandbox.api.mastercard.com/iccp/reporting` | | Production | * Financial endpoint: `https://api.mastercard.com/iccp/financial` * Reporting endpoint: `https://api.mastercard.com/iccp/reporting` | Note: Please refer to the following domains for Issuers in India. Note that Sandbox endpoints for global will be consistent for Issuers in India. | Environment | Link | |-----------------|--------------------------------------------------------------------------| | India Financial | * Financial endpoint: `https://services.mastercard.co.in/iccp/financial` | | India Reporting | * Reporting endpoint:`https://services.mastercard.co.in/iccp/reporting` | Send the following API calls to the reporting endpoint: * `CreateVCNAuthorizationsReport` * `GetVCNAuthorizationsReport` * `CreateVCNClearingsReport` * `GetVCNClearingsReport` * `GetPurchaseRequestDetail` Send the rest of the API calls to the financial endpoint. For a complete list of API calls, refer to the [API Reference](https://developer.mastercard.com/iccp/documentation/05_api_reference/soap_api/index.md) module. ## Authentication {#authentication} Access the ICCP API through the Mastercard API gateway. It uses the [OAuth 1.0a](https://oauth.net/core/1.0a/) standard to authenticate API requests from your client application. * When you build the provided reference application, the `Mastercard oauth1-signer-java OAUTH 1.0a` library for java is automatically downloaded as one of the dependencies. * You can also download this library from [here](https://github.com/Mastercard?q=oauth). Mastercard also makes an OAuth [plugin](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/#insomnia-plugin) available for the Insomnia test tool allowing you to test sample ICCP API requests from the [API Reference](https://developer.mastercard.com/iccp/documentation/05_api_reference/soap_api/configuration-details/getdatasource/index.md). To learn how Mastercard uses the OAuth 1.0a standard for authentication, refer to the [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/) article. ## Using Signing Keys {#using-signing-keys} The ICCP API requires a signing key and a consumer key to authorize your client API requests in both sandbox and production environments. If you do not include keys, or include incorrect or outdated keys, then the ICCP API responds with respective errors. ![](https://static.developer.mastercard.com/content/iccp/uploads/api-keys.png) ### Obtaining Keys {#obtaining-keys} You can obtain keys to these environments in the following ways: * **Sandbox keys** - By creating a new project on your dashboard. Refer to the [Quick Start Guide](https://developer.mastercard.com/iccp/documentation/quick-start-guide/index.md) topic for more details. * **Production keys** - By requesting production access for your project. ## Setting up Your Configuration in ICCP {#setting-up-your-configuration-in-iccp} Your Mastercard administrator performs the following setup in the ICCP system and notifies you once the set up is complete. You cannot make successful calls to the ICCP API until this configuration is complete. * Real Card Numbers (funding cards) * Purchase Templates * Purchase Group * Suppliers ## Using Correlation ID {#using-correlation-id} The correlation ID provides a Universally Unique Identifier (UUID) to trace each API request across ICCP. The correlation ID is a single, unique ID that traces ICCP API calls across the Mastercard network. Format: * Unique, hyphen-separated alphanumeric string. We recommend the UUID algorithm, an industry standard that guarantees a high degree of uniqueness. * Length: 14-36 characters. * Example: 123e4567-e89b-12d3-a456-344555440000 You can supply a correlation ID in the X-B3-TraceId field in the HTTP request header in the format above. `X-B3-TraceId` is an industry standard field for passing trace information using HTTP headers. If you do not provide a correlation ID in a request, or if the value provided does not meet the requirements, Mastercard creates a new correlation ID for the request in the `X-B3-TraceId` field. Any API requests that require troubleshooting assistance by Mastercard, the correlation ID speeds up the tracing of the affected requests across the Mastercard network. ## Next Steps {#next-steps} Now that you have an understanding of the service's authentication and encryption, proceed to the [Quick Start Guide](https://developer.mastercard.com/iccp/documentation/quick-start-guide/index.md) section to learn how to access the API and generate your credentials.