# API Basics
source: https://developer.mastercard.com/issuer-enrollment/documentation/api-basics/index.md

## API Security {#api-security}

### Authentication {#authentication}

To access Mastercard provided APIs, you need to authenticate your API requests using the API Signing Key and Consumer Key. Mastercard supports OAuth protocol to authenticate client access to the [APIs](https://developer.mastercard.com/issuer-enrollment/documentation/api-reference/apis/index.md).


Learn more about these keys in [Key Management](https://developer.mastercard.com/issuer-enrollment/tutorial/key-management-click2pay/index.md).

#### OAuth Authentication Protocol {#oauth-authentication-protocol}

[OAuth 1.0a](https://oauth.net/core/1.0a/) is the **default authentication mechanism** used by most APIs on Mastercard Developers. It is an authentication and authorization protocol that guarantees the integrity and authenticity of incoming API calls and allows for non-repudiation of requests.

Each API request requires an OAuth Bearer Token (jwtBearerAuth), structured as a JWT, generated and signed by Mastercard.
Mastercard uses [OAuth 1.0a with a body hash extension](https://tools.ietf.org/id/draft-eaton-oauth-bodyhash-00.html) for securing its APIs, which requires every request to be signed with a private key. The ownership of this key proves your identity during the authentication process.


To know more about Mastercard OAuth 1.0a scheme, refer to the [guide](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/).

Client authentication libraries can be found on [GitHub](https://github.com/Mastercard?&q=oauth), with how-to information provided in README.md files.
Note: In case of push provisioning with MDES Token Connect APIs, find more details [here](https://developer.mastercard.com/mdes-token-connect/documentation/api-basics/).

### Encryption {#encryption}

* The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks.
* Mastercard uses end-to-end encryption to secure sensitive data.
* To learn more about Encryption Keys used to encrypt an object, refer to the [Key Management](https://developer.mastercard.com/issuer-enrollment/tutorial/key-management-click2pay/index.md) and [Perform Encryption](https://developer.mastercard.com/issuer-enrollment/tutorial/perform-encryption/index.md) tutorials.

Tip: To learn more about encryption schemes that Mastercard uses, refer to the [Securing Sensitive Data Using Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/) guide.

## Environments {#environments}

The table below describes the environments that are available.

| **Environment** |                                                                       **Description**                                                                       |
|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Pre-production test environment containing the latest pre-release version of the APIs, intended for full integration testing prior to moving to Production. |
| Production      | Once all testing has been completed and you are ready to go live, you can request access to our live production environment.                                |

Note that API errors may occur when the gateway rejects due to an incorrect or malformed request, or the service rejects due to some business logic. Refer to the [Code and Formats](https://developer.mastercard.com/issuer-enrollment/documentation/code-and-formats/index.md) page for details.

## How to Use Mastercard APIs? {#how-to-use-mastercard-apis}

### Generating an Open API Client {#generating-an-open-api-client}

Create customizable API clients using an [OpenAPI Generator](https://openapi-generator.tech/), and let Mastercard open-source client libraries supporting multiple languages and frameworks, handle the authentication for you. This approach offers more flexibility and is strongly recommended.   

Follow the steps in [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) to generate an API client to use Mastercard APIs, enable authentication, and perform encryption/decryption.