# API Basics
source: https://developer.mastercard.com/mdes-digital-card-art-service/documentation/api-basics/index.md

## API Security {#api-security}

Mastercard uses OAuth 1.0a with a body hash extension for authenticating the API clients. [OAuth 1.0a](https://oauth.net/core/1.0a/) is an authentication and authorization protocol that guarantees the integrity and authenticity of incoming API calls and allows for non-repudiation of requests.

OAuth 1.0a requires every request that you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of:

1. A private key for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore. Data encrypted using a public key can only be decrypted using the corresponding private key.

2. A public key is shared with Mastercard during the project setup process through either a certificate signing request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature that is provided on every API call.

   * Requests with a body must be signed using the Google Request Body Hashopens in a new tab extension for OAuth.
   * The OAuth keys for your project can be set up on your project dashboard here (Developer Dashboard) after you create a project.

Tip: Do you want to learn more about the authentication scheme Mastercard uses? Read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

## Encryption {#encryption}

All communication between an issuer and MDES Digital Card Art Service (MDCS) API is encrypted using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks.
Tip: Do you want to learn more about the encryption schemes Mastercard uses? For that, read our [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/) guide.

* The sandbox encryption certificate: [public-key-certificate.crt](https://static.developer.mastercard.com/content/mdes-digital-card-art-service/uploads/public-key-certificate.crt) (2KB).
* The encryption configuration below (to be used at the "*Enable Encryption*" step):

* Java
* C#

```java
FieldLevelEncryptionConfig fieldLevelEncryptionConfig = FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
    .withEncryptionPath("$.pushFundingAccount.encryptedPayload.encryptedData", "$.pushFundingAccount.encryptedPayload")
    .withEncryptionCertificate(EncryptionUtils.loadEncryptionCertificate("path/to/public-key-certificate.crt"))
    .withOaepPaddingDigestAlgorithm("SHA-512")
    .withEncryptedValueFieldName("encryptedData")
    .withEncryptedKeyFieldName("encryptedKey")
    .withIvFieldName("iv")
    .withOaepPaddingDigestAlgorithmFieldName("oaepHashingAlgorithm")
    .withEncryptionCertificateFingerprintFieldName("publicKeyFingerprint")
    .withFieldValueEncoding(FieldValueEncoding.HEX)
    .build();
```

```csharp
var fieldLevelEncryptionConfig = FieldLevelEncryptionConfigBuilder.AFieldLevelEncryptionConfig()
    .WithEncryptionPath("$.pushFundingAccount.encryptedPayload.encryptedData", "$.pushFundingAccount.encryptedPayload")
    .WithEncryptionCertificate(EncryptionUtils.LoadEncryptionCertificate("path/to/public-key-certificate.crt"))
    .WithOaepPaddingDigestAlgorithm("SHA-512")
    .WithEncryptedValueFieldName("encryptedData")
    .WithEncryptedKeyFieldName("encryptedKey")
    .WithIvFieldName("iv")
    .WithOaepPaddingDigestAlgorithmFieldName("oaepHashingAlgorithm")
    .WithEncryptionCertificateFingerprintFieldName("publicKeyFingerprint")
    .WithValueEncoding(FieldValueEncoding.Hex)
    .Build();
```

## How to Consume the API? {#how-to-consume-the-api}

There are two ways of integrating with MDES Digital Card Art Service API:

* **Generating your own MDES Digital Card Art Service API client (recommended)**
  Create customizable API clients from the MDES Digital Card Art Service (MDCS) API reference and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended.
  For this, follow the [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorials.

* **Using a method of your choice**
  MDES Digital Card Art Service exposes a REST API on the [API Reference](https://developer.mastercard.com/mdes-digital-card-art-service/documentation/api-reference/index.md) page. You are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) for signing your requests.

## Environment Descriptions {#environment-descriptions}

The table describes the different environments that are available for the MDES Digital Card Art Service API:

| Environment Name |                                                                                                                                                                                Description                                                                                                                                                                                | Onboarding Required? |    Authentication    |      Encryption Key       |
|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|----------------------|---------------------------|
| Sandbox          | Early access environment containing limited-capability mock APIs, intended to assist with the initial integration for new clients. The Sandbox returns mock responses for a defined request. The JSON samples can be used as a reference for sending requests and receiving responses. The Sandbox will only validate the length and data type of the request parameters. | No                   | Sandbox Client ID    | Sandbox Encryption Key    |
| Production       | Full production environment containing the latest production API release.                                                                                                                                                                                                                                                                                                 | Yes                  | Production Client ID | Production Encryption Key |

## Next Steps {#next-steps}

Now that you have an understanding of the service authentication and encryption, proceed to the [Quick Start Guide](https://developer.mastercard.com/mdes-digital-card-art-service/documentation/quick-start-guide/index.md) section to learn how to access the API and generate your credentials.