# API Basics
source: https://developer.mastercard.com/onboard-risk-check/documentation/api-basics/index.md

## API Security {#api-security}

### Authentication {#authentication}

* Mastercard uses [OAuth 1.0a](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/) for authenticating client applications.
* Requests with a body must be signed using the Google Request Body Hash extension for OAuth.
* OAuth Keys for your project can be set up in your dashboard.
* Create a Mastercard Developers project using the [Quick Start Guide](https://developer.mastercard.com/documentation/quick-start-guide/).
* Client authentication libraries can be found on GitHub, with how-to information provided in README.md files.

#### OAuth keys and authentication libraries {#oauth-keys-and-authentication-libraries}

For details about OAuth keys and authentication libraries, refer to [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/). For step-by-step instructions, refer to [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/).

### Transport Encryption {#transport-encryption}

The transport between client applications and Mastercard's ORC API is secured using [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks.
Tip: Do you want to learn more about the authentication and encryption schemes Mastercard uses? Read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

## Environments {#environments}

The table below describes the two different environments that are available.

| **Environment** |                                                                                                                                                         **Description**                                                                                                                                                         |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Early access environment containing limited-capability mock APIs, intended to assist with the initial integration for new clients. The Sandbox returns mock responses for a defined request. The JSON samples can be used as a reference for sending requests and receiving responses. Some of the data returned may be random. |
| Production      | Full production environment containing the latest production API release.                                                                                                                                                                                                                                                       |