# API Basics source: https://developer.mastercard.com/mastercard-send-account-info/documentation/api-basics/index.md ## API Security {#api-security} ### Client Authentication {#client-authentication} Mastercard uses OAuth 1.0a for authenticating your application. You can manage your authentication keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) after you create a project using the **Mastercard Send** API service. Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide. ### Transport Encryption {#transport-encryption} The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data are encrypted by default when transmitted across networks. ## How to Consume the Account Information API {#how-to-consume-the-account-information-api} There are multiple ways of integrating with the Account Information service: * Using a generated API client (recommended) * Using a method of your choice ### Generating Your Own API Client {#generating-your-own-api-client} Create customizable API clients from the Account Information API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended. For this, please follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/generating-and-configuring-a-mastercard-api-client/) tutorial with the following API specification: [account-information-api-swagger.yaml](https://static.developer.mastercard.com/content/mastercard-send-account-info/swagger/account-information-api-swagger.yaml) (15KB) ### Using a Method of Your Choice {#using-a-method-of-your-choice} The Account Information service exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests. For that, please refer to the Account Information [REST API Reference](https://developer.mastercard.com/mastercard-send-account-info/documentation/api-reference/index.md). ## Environments {#environments} The table below describes the three different environments that are available. | Environment | Description | |--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | Early-access environment containing limited-capacity mock APIs, enabling you to try the APIs quickly to assist with initial integration and solution development. The Sandbox returns mock responses for a defined request (see [Sandbox Testing](https://developer.mastercard.com/mastercard-send-account-info/documentation/testing/index.md#sandbox-testing)) and should not be used for full integration testing. Use your Sandbox keys to authenticate with this environment. The keys are set up when you create your project. | | Mastercard Test Facility (MTF) | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration testing prior to moving to production. Use your Sandbox keys for authentication. | | Production | Full production environment containing the latest production API release. Use your Production keys to authenticate with this environment. The keys are set up when you request Production access for your project (via your project page). | ## HTTP Headers {#http-headers} The API accepts requests in JSON or XML format. Use the Content-Type header to provide the data format in the request and use the Accept header to determine the response format. If the Accept header is not provided and Content-Type is provided, the response will be the same format as Content-Type. | Header | Description | Examples | |----------------|------------------------------------------------------------------|----------------------------------| | Content‑Type | The format of the body content being submitted: JSON or XML. | application/json application/xml | | Content‑Length | The length of the body content being submitted, in octets. | 54138 | | Accept | The format you would like returned in the response: JSON or XML. | application/json application/xml | The response includes this header: | Header | Description | Examples | |----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------| | correlation-id | The unique Correlation ID for the API call in Mastercard systems. We recommend you log this ID for tracking purposes. When seeking support, providing the relevant Correlation ID may help resolve your inquiry more quickly. For example, in some situations an unsuccessful API call may result in a 4xx/5xx error response and the request message data might not reach Mastercard Send. Mastercard Support teams can use the Correlation ID to trace the API call. | 0.9d5e6cc1.1692956220.1e87632a | ## Technical Considerations {#technical-considerations} We reserve the right to add optional parameters to resource actions/services and to add new fields to resource representations returned in responses. These types of changes are considered backward compatible. Applications consuming these resources should be written such that new fields appearing in returned resource representations will not cause errors. We reserve the right to truncate consumer data, when required to comply with constraints of financial messages initiated through calls to the API. We will not modify the consumer data in storage but will perform any required truncation when the financial message is constructed. If a field is not populated, it will be omitted from the response. However, participants should code to all response fields. ### Conventions {#conventions} * URLs will be all lowercase, with the possible exception of resource identifiers. * When URL elements consist of multiple words, the words will be separated by hyphens ("-"). * Input parameter names and resource member names will be in lowercase. * When input parameter names and resource member names consist of multiple words, the words will be separated by underscores ("_"). * Avoid providing blank/empty values for any optional fields. If you are not supplying a field value, omit the field completely. * Unless otherwise specified, API fields allow/support UTF (English) alphanumeric characters, but do not support multi-lingual characters and MBCS (multibyte character set).