# API Basics source: https://developer.mastercard.com/identity-insights-for-transactions/documentation/api-basics/index.md ## API Security {#api-security} ### Client Authentication {#client-authentication} Mastercard uses MTLS for authenticating your application. You can manage your authentication keys from your [Mastercard Connect KMP portal](https://static.developer.mastercard.com/content/identity-insights-for-transactions/KMP-User-Guide.pdf) after you created a project using IIT Service. Select "Mastercard Identity Insights" in the KMP portal for IIT Service. Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using MTLS to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-mtls-to-access-mastercard-apis/) guide. For better latency use the HTTP persistent connections by including "Connection: keep-alive" in the header. ### Transport Encryption {#transport-encryption} The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data are encrypted by default when transmitted across networks. In addition to that, Identity Insights for Transactions service uses JWE to provide end-to-end payload encryption to secure sensitive data like Personally Identifying Information (PII). You can manage your encryption keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard). Please read the [Mastercard JWE Encryption Guide](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#jwe-encryption). Tip: Do you want to learn more about the encryption schemes Mastercard uses? For that, read our [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/) guides. ## How to Consume the Identity Insights for Transactions (IIT) Service API? {#how-to-consume-the-identity-insights-for-transactions-iit-service-api} Note: There are multiple ways of integrating with IIT Service: 1. Using a generated API client (recommended) 2. Using a method of your choice ### Generating your own Identity Insights for Transactions (IIT) Service API client {#generating-your-own-identity-insights-for-transactions-iit-service-api-client} Create customizable API clients from the Identity Insights for Transactions API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended. For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with: * The following API specification: [IIT-swagger-public.yaml](https://static.developer.mastercard.com/content/identity-insights-for-transactions/swagger/IIT-swagger-public.yaml) (32KB) ### Using a method of your choice {#using-a-method-of-your-choice} Identity Insights for Transactions exposes a REST API and you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client authentication](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-mtls-to-access-mastercard-apis/#client-libraries) and client encryption libraries for signing your requests and dealing with payload encryption. For that, please refer to the Identity Insights for Transactions service [REST API Reference](https://developer.mastercard.com/identity-insights-for-transactions/documentation/api-reference/index.md). The following JWE Header Parameters should be included while encrypting data. | **JWE Header Parameter** | **Description** | |--------------------------|-------------------------------------------------------------------------------------------------------------------------------| | enc | Content Encryption algorithm. Must have a value of A256GCM | | alg | Key Encryption algorithm. Must have a value of RSA-OAEP-256 | | cty | application/json | | kid | Contains the public key fingerprint ID (the value is displayed under the Client Encryption Keys section of the project page). | ### Body {#body} The payload, using encrypted data, for API calls to Identity Insights for Transactions API is shown below. Replace the below JWE Payload string to your encrypted message. ```json { "encryptedData": "JWE Payload" } ``` Tip: We strongly encourage you to use existing libraries rather than implementing the encryption and decryption steps yourself. ## Environments {#environments} The table below describes the two different environments that are available. | **Environment** | **Description** | |-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | The pre-production test environment contains the latest pre-release or released version of the APIs, intended for full integration testing before moving to production. At this stage, use the Sandbox keys generated during the project creation. | | Production | The production environment contains the latest production API release. You can request approval to obtain the Production keys. Once approved, you can proceed to complete testing in the Production environment before launching your solution. |