# API Basics
source: https://developer.mastercard.com/mastercard-insurance-programs/documentation/api-basics/index.md
## Authentication {#authentication}
Mastercard uses one-legged [OAuth 1.0a](https://datatracker.ietf.org/doc/html/rfc5849) for authenticating and authorizing client applications. To access Insurance Service APIs, you must authenticate your client applications. It means every request sent to us must be digitally signed, and only requests with valid signatures created by authorized clients are granted access to Mastercard Insurance service.
### In short {#in-short}
* Mastercard uses OAuth 1.0a for authenticating client applications
* Requests with a body must be signed using the [Google Request Body Hash](https://tools.ietf.org/id/draft-eaton-oauth-bodyhash-00.html) extension for OAuth
* OAuth Keys for your project can be set up in your dashboard
* Client authentication libraries can be found on [GitHub](https://github.com/Mastercard?&q=oauth), with how-to information provided in [README.md](https://github.com/Mastercard/oauth1-signer-java/blob/main/README.md) files
### OAuth keys \& authentication libraries {#oauth-keys--authentication-libraries}
Mastercard provides client authentication libraries in several languages you can integrate into your project or use as reference OAuth 1.0a implementations. To get started, simply add to your project the package matching your application development language.
Tip: OAuth 1.0a presents many edge cases that are easy to miss. We strongly encourage you to use existing OAuth libraries rather than implementing the specification yourself. For further details, refer to [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/)
## Encryption {#encryption}
### Transport and payload encryption {#transport-and-payload-encryption}
The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security) which means data is encrypted by default when transmitted across networks.
In addition, since the USER-DATA-TOKEN endpoint request contains PAN number, the request payload must be encrypted.
Information on request payload encryption can be found here - please refer to JWE encryption section in [Payload encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/)
Note: Only the request payload is encrypted for USER-DATA-TOKEN. The response is not encrypted as it does not contain any sensitive data.
## How to consume the Insurance service {#how-to-consume-the-insurance-service}
There are multiple ways of integrating with the Insurance service:
1. Using a generated API client (recommended)
2. Using a method of your choice
### Generating API Client {#generating-api-client}
Create customizable API clients from the Insurance service specifications and let Mastercard open-source client libraries handle the authentication and encryption for you.
This approach offers more flexibility and is strongly recommended.
For this, please follow our [Generating and Configuring a Mastercard API Client tutorial](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/)
with the following API specification:
[LoyaltyInsuranceSpec.yaml](https://static.developer.mastercard.com/content/mastercard-insurance-programs/swagger/LoyaltyInsuranceSpec.yaml) (11KB)
### Using a Method of Your Choice {#using-a-method-of-your-choice}
Insurance service exposes REST APIs: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source client libraries for [authentication](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/#step-4-add-the-client-authentication-library-to-the-project)
and [encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/#step-5-add-the-client-encryption-library-to-the-project).
For the API specifications, refer to [API reference](https://developer.mastercard.com/mastercard-insurance-programs/documentation/api-reference/index.md).
### Get user token encrypted payload format {#get-user-token-encrypted-payload-format}
```java
{
"encryptedValue":"eyJraWQiOiJjZTlhNjU2NDYzM2Y4MjdlNzIwZWVjYmFjNGFhOTc2ODE2YmJhOWYxZDdmN2VmM2IxNmZkNzgwMWYzYjYxYTAyIiwiY3R5IjoiYXBwbGljYXRpb24vanNvbiIsImVuYyI6IkEyNTZHQ00iLCJhbGciOiJSU0EtT0FFUC0yNTYifQ.toTTASeJRaCP-0JvS77FJett-yvFoKL23ebo-rfspEE-y7TnsKMweqZIeD7-bgx-EyYn0ZnTBBIvErZBWxRt6B6F4OPKPX-LGVzbOQ8uXlA9-OQvhilZOsbet5ZOWiusR6-LAE-9Z6ZuQfpJi2oyWtxjlGQogKngW3QyH7UutkwovqWCo4VOsQxg-MQ7cX97T6_-teIJ-bg81ofKpKtPf70B-SJDax7xnACW4Ibu9gxJV_kq5vD3mneLYzD5Uklvvz2rYGV95CFHexydQ3FG0_9aL5u6zXTB7ujMD64Jtjz9-z5Soqi_5nNk6890j9BZyV_zJtE4bgv6ymnpHbIgsA.-0G8oICHUpdqiGhJA9HGvA.DGlYStijW51IFHkEa5fhas-OH0QSyVUcbWdl4kl21xRQBWvX3KGDgsMfeVtSCwDfWt7oL_8_rS1rb_k4R61n1NG3odz7uD1rLeFphZFKWYdbsISgiuCpdKjGDdtsfrSjW-OZYnYnYrN457jqaxaVjFzCiWNn3wIxdnCIrxN7qqkj0nFQsd_iD9rfPYkyu6ekIjtbErO_7oJezM0tuX3ICxO3JDCZzHDJ1iohwvxnbMXCxb5JbzswOavqr3wUw2Z1W_6-vi6eEHm4iMyutpiNGPeLZKTJEGme79WqRHRoFJiafqcF6RIcdR3PVA4.aC_2-dTTK9DqnPq0FDwgxQ"
}
```
## Environments {#environments}
| Environment | Description |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration prior to moving to production |
| Production | Full production environment containing the latest production API release. |