# API Basics
source: https://developer.mastercard.com/payment-account-management/documentation/api-basics/index.md

Before you sign-up to use the PAM API, please familiarize yourself with authentication and field-level encryption requirements for Mastercard APIs.

## Authentication {#authentication}

Mastercard uses OAuth 1.0a with body hash extension for authenticating the API clients. This requires every request that you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of:

* A private key for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore.
* A public key is shared with Mastercard during the project setup process through either a Certificate Signing Request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature that is provided on every API call.

### OAuth keys \& authentication libraries {#oauth-keys--authentication-libraries}

For further details, refer to [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/using-oauth-1a-to-access-mastercard-apis/) and [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial.
Note:   

* Refer to the [Environments and Key Usage](https://developer.mastercard.com/payment-account-management/documentation/api-basics/index.md#environments-and-key-usage) table below to identify which keys are to be used for specific environments.
* Production keys are generated when you move a Project to Production (request production access).

## Encryption {#encryption}

In addition to the OAuth authentication, any Payment Card Industry (PCI) sensitive data must be encrypted. This requirement applies to the API fields containing `encryptedData`. Sensitive data is encrypted using a symmetric session (one-time-use) key. The symmetric session key is then wrapped with an RSA Public Key supplied by Mastercard during API setup phase (the Client Encryption Key).

### Payload Encryption {#payload-encryption}

The PAM service requires field-level encryption for sensitive data. Keys are created as part of the project setup process and can then be downloaded from your project dashboard. Client encryption libraries can be found on [Github](https://github.com/search?q=topic%3Afield-level-encryption+org%3AMastercard&type=Repositories). For further details, refer to [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/securing-sensitive-data-using-payload-encryption/)

|          **Key**          |                                                **Usage**                                                |
|---------------------------|---------------------------------------------------------------------------------------------------------|
| Client Encryption key     | This key is used to wrap the one-time use AES key in the encrypted payload that you send to Mastercard. |
| Mastercard Encryption key | The Private key used to unwrap the encrypted payload in responses from MDES that contain encrypted data |

## Environments and Key Usage {#environments-and-key-usage}

The table below describes the three different environments that are available for the service. All three environments are available on the same Payment Account Management service.

|          **Environment**           |                                                                                                                                                                                **Description**                                                                                                                                                                                 | **Onboarding Required?** |  **Authentication**  |    **Encryption Key**     |
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------|----------------------|---------------------------|
| **Static**                         | Early access environment containing limited-capability mock APIs, intended to help assist with the initial integration for new clients. The Sandbox returns mock responses for a defined request. The JSON samples can be used as a reference for sending requests and receiving responses. The Sandbox will only validate the length and data type of the request parameters. | No                       | Sandbox Client Id    | Sandbox Encryption Key    |
| **Mastercard Test Facility (MTF)** | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration testing prior to moving to production.                                                                                                                                                                                                               | Yes                      | Sandbox Client Id    | Sandbox Encryption Key    |
| **Production**                     | Full production environment containing the latest production API release.                                                                                                                                                                                                                                                                                                      | Yes                      | Production Client Id | Production Encryption Key |

Note: Refer to [Environment Domains](https://developer.mastercard.com/payment-account-management/documentation/environment-domains/index.md) for the detailed URLs.