# API Basics source: https://developer.mastercard.com/merchant-identifier/documentation/api-basics/index.md ## API Security {#api-security} ### Client Authentication {#client-authentication} Mastercard uses [OAuth 1.0a with body hash extension](https://oauth.net/core/1.0a/) for authenticating the API clients. This requires every request you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of:
1. A **private key** for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore. 2. A **public key** is shared with Mastercard during the project setup process through either a certificate signing request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature provided on every API call. Requests with a body must be signed using the Google request body hash extension for OAuth. The OAuth Keys for your project can be set up on your project dashboard here ([Developer Dashboard](https://developer.mastercard.com/dashboard)) after you created a project. Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) guide. ### Transport Encryption {#transport-encryption} The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data are encrypted by default when transmitted across networks. Mastercard's encryption scheme is typically used for encrypting sensitive data such as personal identifiable information (PII). ## Environment Descriptions {#environment-descriptions} The table below describes the two different environments available. | Environment | Description | |-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | In the sandbox environment a mock service is running that provides sample responses. To access Sandbox select Merchant Identifier when setting up [My Projects](https://developer.mastercard.com/dashboard) | | Production | In production you can access the live services. To access production you need to select. To access production you need to select [Request Production Access](https://developer.mastercard.com/dashboard) in the Merchant Identifier project you have setup. | ## How to Consume the API? {#how-to-consume-the-api} ### Generating your own Merchant Identifier API client {#generating-your-own-merchant-identifier-api-client} Create customizable API clients from the Merchant Identifier API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended. To learn how to generate your own client, please follow our guide: [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with the following [Merchant Identifier API specification file](https://static.developer.mastercard.com/content/merchant-identifier/swagger/merchantidentifier-v3.yaml).