# API Authentication
source: https://developer.mastercard.com/issuer-enrollment/documentation/tutorials-and-guides/api_oauth/index.md

Prior to calling Mastercard APIs you will need an (OAuth) Signing Key to authenticate API calls. This is referred to as an API Signing Key in Mastercard Connect (refer to [Key Management](https://developer.mastercard.com/remote-commerce-onboarding/documentation/key_management/)). The OAuth protocol involves a consumer key (a client id) and a private request signing key which is the private key of this pair. Use this to sign your API calls using OAuth, so that the Mastercard API server can authenticate you when you access the APIs.

The P12 keystore you generate (the "Signing Key" in Mastercard Connect) contains a public/private key pair. The public key is shared with Mastercard during the generation process and will be used to verify the OAuth signature provided on every API call. The OAuth signature must be created using the private key inside the P12 keystore.

## Bearer token (OAuth 1.0a) {#bearer-token-oauth-10a}

Each request requires an OAuth Bearer Token (jwtBearerAuth), structured as a JWT, generated and signed by Mastercard.
Mastercard uses OAuth 1.0a with a body hash extension for securing its APIs. This requires every request to be signed with a private key. The ownership of this key proves your identity during the authentication process. You can find more details about this mechanism in the following support article and blog post on Mastercard Developers:

* [Support article](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/)
* [Blog post](https://developer.mastercard.com/blog/why-mastercard-doesnt-use-oauth-20)   

## Keystore details {#keystore-details}

You can view the keystore contents using commonly available tools. During key generation, you will give the P12 keystore a filename, password and alias (friendly name). So for example:

* Filename: srctest-sandbox
* Password: keystorepassword
* Private key alias (friendly name): keyalias. To view the contents of the keystore, you can use, either the

Java keytool:

    keytool -storetype PKCS12 -list -keystore srctest-sandbox.p12 -storepass keystorepassword -v

or OpenSSL:

    openssl pkcs12 -info -in srctest-sandbox.p12 -password pass:keystorepassword

**Keystore details**

It is worth noting that different sorts of errors may occur, which need to be handled differently.

* API errors may occur where the API gateway rejects an incorrect or malformed request. For more details about Gateway errors, see the [Gateway Error Codes](https://developer.mastercard.com/platform/documentation/gateway-error-codes/) page of the general Mastercard Developers Platform documentation.

* API errors may also occur where the API gateway successfully passed the request onto the service concerned, but the service rejected it for some business logic reason.

## Error handling {#error-handling}

It is worth noting that different sorts of errors may occur which will need to be handled differently.

* API errors may occur where the API gateway rejects an incorrect or malformed request. For more details about Gateway errors, refer to the [Gateway Error Codes](https://developer.mastercard.com/platform/documentation/gateway-error-codes/) in the general Mastercard Developers Platform documentation.

* API errors might also occur if the API gateway successfully passed the request to the relevant service, but the service rejected it for some reason related to business logic.

## Next Steps {#next-steps}

Once the Onboarding is completed in the Onboarding and Registration portal, Issuer needs to provide `srcClientId` to update the role for Issuer.