# Onboarding for Encryption Key Management
source: https://developer.mastercard.com/open-finance-us/documentation/onboarding-encryption-keys/index.md

To get started with creating an Open Finance project, [log in](https://developer.mastercard.com/account/log-in) to your Mastercard Developers account. If you do not have a Mastercard Developers account yet, [sign up](https://developer.mastercard.com/account/sign-up) and follow the instructions to create an account.
Warning: This version of the Onboarding documentation includes details of how to create and download encryption keys. By default, this option is not presented to US Open Finance clients as there are only certain very specific use cases for these keys at present. If you are reading this it is most likely that your Customer Success Manager or Solution Engineer has directed you to this documentation because key generation has been enabled at your request. Your Solution Engineer will be able to provide more details on how the keys can be used in your situation.

## Create a Sandbox Project {#create-a-sandbox-project}

A Sandbox project gives you access to the Open Finance Test Drive plan. Test Drive allows you to use different test accounts and mock financial institution data to test Open Finance APIs. It is free to use and is ideal for development and testing. For more information on test data, see [Test Profiles](https://developer.mastercard.com/open-finance-us/documentation/integration-and-testing/test-the-apis/index.md).

1. [Log in](https://developer.mastercard.com/account/log-in) to Mastercard Developers and click the **Create New Project** button located at the top of the page.

2. Provide the **Project Details**:

   a. Enter a name for your project.

   b. Choose the project type:
   * Select **No** if this project is for yourself
   * Select **Yes** to create the project on behalf of a client. If you are creating a project on behalf of a client, see [Partner Direct Model](https://developer.mastercard.com/open-finance-us/documentation/participant-model/partner-direct/index.md) and learn how you can [onboard your affiliate customers](https://developer.mastercard.com/open-finance-us/documentation/participant-model/partner-direct/onboarding-customers/index.md#onboard-using-mastercard-developers-dashboard)

   <br />

   c. Select **Open Finance** from the **Select your API service** drop-down list.

   d. From the **Commercial Countries** drop-down list, select the country where the end users of this application will be located. You cannot update Commercial Countries after this step. Ensure you select the appropriate country before you click **Proceed**.

   e. Click **Proceed**.
3. Provide the **Service Details**:

   a. Enter a description for your Sandbox credentials.

   b. Click **Proceed**.
4. Add **Additional Credentials**:

   a. To generate a Mastercard Encryption Key (private key) in your browser, provide the Key alias and Keystore password and click **Create Project** . The browser generates a PKCS#12 keystore file securing your private key with the provided keystore password. To learn more about the different encryption keys and their purpose, see [Encryption Keys](https://developer.mastercard.com/open-finance-us/documentation/onboarding-encryption-keys/index.md#encryption-keys).

   Alternatively, you can click **Skip this step** to generate the encryption keys (Client Encryption and Mastercard Encryption) at a later time. You can do this by using the **Add key** option available in your project dashboard for both Sandbox and Production environments.

   b. Click **Download key file** to download your Mastercard Encryption Key (private key).

   c. Click **Open project** . Your project displays the Sandbox credentials - `Partner ID`, `Secret`, and `App Key`. These credentials are required to call the APIs. Additionally, the Client Encryption Key and the Mastercard Encryption key are also generated.

## Keys {#keys}

To access the Open Finance APIs, you'll need authentication keys. Additionally, you can use encryption keys to further secure your data exchanges with Mastercard.

### Authentication Keys {#authentication-keys}

To access Open Finance APIs, you will need the following:

* **PartnerID** - The PartnerID is a unique identifier for a specific set of credentials, including the secret and appKey. All requests sent to Mastercard Open Finance must include a token for accessing Open Finance APIs. To create a token, you are required to provide the PartnerID along with the corresponding secret and appKey.

* **Secret** and **appKey** - Credentials required to authenticate your API calls.

### Encryption Keys {#encryption-keys}

In addition to the credentials used to authenticate your requests, your Open Finance project provides additional credentials for encrypting data exchanged with Mastercard.
Tip: To learn more about how data between client applications and Mastercard is secured, see [Securing Payload Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/). Additionally, to assist you in performing payload encryption and decryption, Mastercard provides [encryption libraries](https://github.com/Mastercard?&q=client-encryption).

### Types of Encryption Keys {#types-of-encryption-keys}

The encryption keys include the following types:

#### Mastercard Encryption Key {#mastercard-encryption-key}

This key is used for encrypting responses from Mastercard to ensure secure communication.

* **Owned By**: Client
* **Mastercard Action**: Encrypts data using the public key
* **Partner Action**: Decrypts data using the private key

Diagram mcencryptionkey

#### Client Encryption Key {#client-encryption-key}

This key is used for encrypting requests sent to Mastercard to protect sensitive information during transmission.

* **Owned By**: Mastercard
* **Partner Action**: Encrypts data using the public key
* **Mastercard Action**: Decrypts data using the private key

Diagram clientencryptionkey

## Request Production Access {#request-production-access}

Once you've thoroughly tested your application in the Sandbox environment and are confident that it's working as expected, you can request an upgrade to Production. To request Production access, click the **Request Production access** button on the Summary page.

When you request an upgrade to Production, you can choose to request a **Test Drive Premium (non-billable)** plan or a **Production (billable)** plan.

* **Test Drive Premium**: A Production, non-billable plan that allows you to access all Open Finance endpoints and gives you the ability to test against live financial data for a trial period. We recommend using Test Drive Premium before moving to Production (billable) plan.

* **Production**: A Production, billable plan that provides you access to the Open Finance endpoints mentioned in your contract. Your specific pricing and billing structure will be governed by your agreement with Mastercard. This plan should not be used for testing purposes.

After you select a suitable plan and click **Proceed**, the credentials required to access the API in the Production environment are created. Make a note of the Partner ID and share it with your Mastercard Representative. These credentials will only be active and ready to use in Production after Mastercard reviews and approves your Production access request.
Note: Requests for Production plans --- **Test Drive Premium** (non-billable) and **Production** (billable) will be approved only if a contract between you and Mastercard has been executed. Please work with your Sales Representative or Client Success Manager to upgrade to Production. Contact [OFin.contactsales@mastercard.com](mailto:OFin.contactsales@mastercard.com) for more information.

## Add Keys {#add-keys}

If a key is nearing expiry, or you need to use multiple environments for testing (for example, one test environment for developers, another for User Acceptance Testing or UAT), you can add new keys as follows:

### Add Partner ID: {#add-partner-id}

You can request additional set of credentials including the `Partner ID`, `Secret`, and `App Key`, using the **Add Partner ID** button.

### Add Encryption Keys {#add-encryption-keys}

#### To add Client Encryption Key: {#to-add-client-encryption-key}

1. Go to Sandbox Credentials or Production Credentials (depending on the environment you want to add the keys in) and click **Add key**.

2. Select Client Encryption Key and click **Proceed**.

3. Click **Create key**.

4. Click **Download file** to download the public key to encrypt the payload.

#### To add Mastercard Encryption Key: {#to-add-mastercard-encryption-key}

1. Go to Sandbox Credentials or Production Credentials (depending on the environment you want to add the keys in) and click **Add Key**.
2. Select **Mastercard Encryption Key** and click **Proceed**.
3. You will see the following options to add a new key. Select the appropriate option based on your needs:

> ###### Option 1: Generate a new private key
>
The system generates the key inside your browser, ensuring it remains private and unseen by the system.

1. After selecting **Generate a new private key** , click **Proceed**.
2. Provide the Key alias and Keystore password and click **Create key**. The browser generates a PKCS#12 keystore file securing your private key with the provided keystore password.
3. Click **Download key file** to download your Mastercard Encryption (private key).
4. Click **Open Project** to view your project dashboard.

> ###### Option 2: Use an existing private key
>
Choose this option if you already have a private key and need to upload a Certificate Signing Request (CSR). Upload the CSR file to associate it with your existing private key.

1. After selecting **Use an existing private key** , click **Proceed**.
2. Provide a Key alias and click **Add an attachment**. Browse and choose the CSR file generated in your system that is in .PEM format.
3. Click **Create key**.

Note: Ensure the CSR you are uploading is unique and is not associated with a Mastercard Encryption Key in your project. Uploading a CSR that already exists in your project will result in an error.
>
> ###### Option 3: Paste in a CSR file
>
Select this option if you prefer to paste the contents of your CSR file directly. Ensure that the CSR is associated with your existing private key.

1. After selecting **Paste in a CSR file** , click **Proceed**.
2. Provide a Key alias and paste the content of your CSR file in the CSR field and click **Create key**.

### Activate/Deactivate Mastercard Encryption Key {#activatedeactivate-mastercard-encryption-key}

Only the Mastercard Encryption key can be activated or deactivated. Each environment can have only one active Mastercard Encryption Key at a time. Activating a new key will automatically deactivate the current active key.

To activate a Mastercard Encryption Key, use the **Manage** drop-down available next to the key and click **Activate** . The status of the key will change to **Active** and the previously active key is deactivated.

## View API Usage {#view-api-usage}

Click **View API Usage** to gain valuable insights into the usage of the API and traffic for each endpoint specific to a Partner ID.

## Access Client Hub {#access-client-hub}

Use the Client Hub to check the status of a financial institution's connection and simplify your billing reconciliation process. For more information, see [Client Hub Guide](https://developer.mastercard.com/open-finance-us/documentation/client-hub-guide/index.md).

## Delete Partner ID {#delete-partner-id}

To delete a Partner ID and the associated Secret and App Key, click **Manage** next to the credentials and select **Delete Credential**. Once you delete the credentials, you can no longer use them to access the APIs. When deleting a set of credentials, ensure there's another set of active credentials.

## Revoke Encryption Keys {#revoke-encryption-keys}

To delete a Mastercard Encryption Key or Client Encryption Key, click **Manage** next to the key and select **Revoke key**.
Note: You must have more than one of each type of key (Client Encryption Key and Mastercard Encryption Key) to revoke them. If you have only one of each, revoking a key is not possible.

## Edit Project Details {#edit-project-details}

You can update the following details in a project:

* Project's name.
* Details of the company on behalf of which the project is created.
* Switch to a client project - Modify the project that was initially created for yourself to a project for your client. You can do this only if the client company is unverified. A client company cannot be updated once it has been verified. To learn more about company verification, see [Company Verification](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/managing-your-account/company-verification-via-connect-linking/).

## Team Management {#team-management}

You can invite team members to your Open Finance project to ensure that all the members are notified of the project activities. You must be an *Admin (Owner)* to add or remove a team member. To learn more about how you can use the Team Management feature, see the [Team Management](https://developer.mastercard.com/platform/documentation/managing-your-account/team-management/) section of our [Mastercard Developers Platform](https://developer.mastercard.com/platform/documentation/) documentation.

## See Also {#see-also}

[Quick Start Guide](https://developer.mastercard.com/open-finance-us/documentation/quick-start-guide/index.md)