# Encryption and Signature Verification Keys
source: https://developer.mastercard.com/platform/documentation/credential-management/encryption-and-sig-ver-key-management/index.md

## Overview {#overview}

This guide walks through the basics of managing encryption and signature verification keys for a Mastercard Developers project. This includes adding, rotating, renewing, and revoking keys.

There are 3 types of encryption and signature verification keys:

1. **Client encryption key** - the public key used by your application to encrypt payloads. Mastercard will provide you with this public key.
2. **Mastercard encryption key** - the public key used by Mastercard to encrypt payloads. Your application will store and use the private key for decryption.
3. **Client signature verification key** - the private key used by your application to sign requests.

## Add Key {#add-key}

You can add encryption and signature verification keys to your Mastercard Developers project, using the various methods for each key type.

### Client Encryption Key {#client-encryption-key}

When you add a client encryption key to your Mastercard Developers project a PEM file will be created containing the public key used by your application to encrypt payloads and Mastercard will store and use the private key for decryption.

Here are the steps:

1. Open your Mastercard Developers project   

2. Open the "Sandbox credentials" or "Production credentials" screen, depending on which environment the key will be used for, and click the *Add key* button.  

3. Select the *Client Encryption Key* option.  
   ![Step 3: Select client encryption key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-client-enc-key-1.png)
4. Click the *Proceed* button and then the *Create key* button.  
   ![Step 4: Create button](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-client-enc-key-2.png)
5. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

### Mastercard Encryption and Client Signature Verification Key {#mastercard-encryption-and-client-signature-verification-key}

You can add Mastercard encryption and client signature verification keys to your Mastercard Developers project, using the three methods below. In all three methods, a private/public key pair will be created where the private key is generated by you (or your web browser) and the public key is certified by Mastercard.

#### Method 1 - Generate a new private key {#method-1---generate-a-new-private-key}

If you choose to have Mastercard generate a private key for you, it will be done inside your browser and will never be seen by us.

Here are the steps:

1. Open your Mastercard Developers project   

2. Open the "Sandbox credentials" or "Production credentials" screen, depending on which environment the key will be used for, and click the *Add key* button next to the API name.  

3. Select the *Mastercard Encryption Key* or *Client Signature Verification Key* option.  
   ![Step 2: Add project key button](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-1.png)
4. Select the *Generate a new private key* option.  
   ![Step 3: Generate a new private key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-2.png)
5. Enter a key alias and keystore password and create the key.  
   ![Step 4: Add key alias and keystore password](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-3.png)
6. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

7. If this is the second key of this type, activate the new key by clicking *Activate* under the *Manage* menu (of the new key).   
   ![Step 6: Activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-2.png)
8. Agree to activate the new key.  
   ![Step 7: Confirm activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-3.png)

#### Method 2 - Upload an existing private key (upload a CSR file) {#method-2---upload-an-existing-private-key-upload-a-csr-file}

If you want to use an existing private key, you can upload a certificate signing request (CSR) to be used with your corresponding private key to sign your API requests.

Here are the steps:

1. Open your Mastercard Developers project   

2. Open the "Sandbox credentials" or "Production credentials" screen, depending on which environment the key will be used for, and click the *Add key* button next to the API name.  

3. Select the *Mastercard Encryption Key* or *Client Signature Verification Key* option.  
   ![Step 2: Add project key button](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-1.png)
4. Select the *Use an existing private key* option.  
   ![Step 3: Use an existing private key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-4.png)
5. Enter a key alias, upload your CSR file, and create the key.  
   ![Step 4: Add key alias and upload CSR file](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-5.png)
6. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

7. If this is the second key of this type, activate the new key by clicking *Activate* under the *Manage* menu (of the new key).   
   ![Step 7: Activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-2.png)
8. Agree to activate the new key.  
   ![Step 8: Confirm activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-3.png)

#### Method 3 - Upload an existing private key (paste in a CSR file) {#method-3---upload-an-existing-private-key-paste-in-a-csr-file}

If you want to use an existing private key, but are not able to upload a CSR file, you can paste in the CSR contents to be used with your corresponding private key to sign your API requests.

Here are the steps:

1. Open your Mastercard Developers project   

2. Open the "Sandbox credentials" or "Production credentials" screen, depending on which environment the key will be used for, and click the *Add key* button next to the API name.  

3. Select the *Mastercard Encryption Key* or *Client Signature Verification Key* option.  
   ![Step 2: Add project key button](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-1.png)
4. Select the *Paste in a CSR file* option.  
   ![Step 3: Paste in a CSR file](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-6.png)
5. Enter a key alias, paste in your CSR file, and create the key.  
   ![Step 4: Add key alias and paste in CSR file](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-oauth-key-7.png)
6. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

7. If this is the second key of this type, activate the new key by clicking *Activate* under the *Manage* menu (of the new key).   
   ![Step 7: Activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-2.png)
8. Agree to activate the new key.  
   ![Step 8: Confirm activate new Encryption Key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-3.png)

## Manage Expiring Key {#manage-expiring-key}

When you have an expiring encryption or signature verification key, you must rotate the key by creating a new one and updating your application to use the new key. You will need to rotate your key before it expires to prevent your integration from being interrupted.

### Client Encryption Key {#client-encryption-key-1}

1. Open your Mastercard Developers project with the expiring client encryption key   

2. Follow the steps above to [add the new client encryption key](https://developer.mastercard.com/platform/documentation/credential-management/encryption-and-sig-ver-key-management/index.md#client-encryption-key)   

3. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

4. Update your application to use the new client encryption key that was downloaded. Avoid service interruptions by updating your code before your existing key expires.  

5. Finally, we recommend revoking the unused client encryption key by using the *Manage* dropdown menu after you have successfully switched to the new one.  

### Mastercard Encryption and Client Signature Verification Key {#mastercard-encryption-and-client-signature-verification-key-1}

1. Open your Mastercard Developers project with the expiring Mastercard encryption or client signature verification key   

2. Follow the steps above to [add the new Mastercard encryption or client signature verification key](https://developer.mastercard.com/platform/documentation/credential-management/encryption-and-sig-ver-key-management/index.md#mastercard-encryption-and-client-signature-verification-key). Any of the three add key methods are acceptable.   

3. Find the new key on the "Sandbox credentials" or "Production credentials" screen and note the associated fingerprint.  

4. After making changes in your code, activate the new key by clicking *Activate* under the *Manage* menu (of the new key). Avoid service interruption by activating the key as soon as you have updated your code to use the new key.  
   ![Step 4: Activate new encryption key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-2.png)
5. Agree to activate the new key.  
   ![Step 5: Confirm activate new encryption key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-3.png)
6. Finally, we recommend revoking the unused key after you have successfully switched to the new key.  

## Activate a Mastercard Encryption and Client Signature Verification Key {#activate-a-mastercard-encryption-and-client-signature-verification-key}

Due to the nature of outbound encryption and signature verification, you can only have one active Mastercard encryption key and one client signature verification key at a time. When your project only has one key of either type, it will always be the active key. The key's `active` or `inactive` status is shown above the key name on the "Sandbox credentials" and "Production credentials" screens.

If you have multiple key of either type, you can choose which key is active and Mastercard should use to encrypt and/or sign your payloads. The following steps explain how to activate a key:

1. Open your Mastercard Developers project with the Mastercard encryption or client signature verification key you want to activate  

2. Find the key on the "Sandbox credentials" or "Production credentials" screen and click *Activate* under the *Manage* menu. To avoid service interruptions, only activate the key as soon as you have updated your code to use it.  
   ![Step 4: Activate new encryption key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-2.png)
3. Agree to activate the new key.  
   ![Step 5: Confirm activate new encryption key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-add-mc-enc-or-cli-sig-ver-key-3.png)
4. Finally, we recommend revoking the unused key after you have successfully switched to the new key.  

## Revoke Key {#revoke-key}

If you have a key you're no longer using, you can revoke it to ensure it's not usable and you don't receive the expiration notifications.

### Client Encryption Key {#client-encryption-key-2}

You can revoke any client encryption keys using the following steps:

1. Open your Mastercard Developers project with the key you want to revoke.   

2. Find the key on the "Sandbox credentials" or "Production credentials" screen and click *Revoke key* under the *Manage* menu.  

   ![Step 2: Revoke Key in dropdown](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-revoke-client-enc-key-1.png)
3. Confirm you've selected the correct key, enter "REVOKE" in the text field and click the *Revoke* button.  
   ![Step 3: Confirm revoke key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-revoke-mc-enc-cli-sig-ver-key-2.png)
4. Your key has now been revoked.

### Mastercard Encryption and Client Signature Verification Key {#mastercard-encryption-and-client-signature-verification-key-2}

As explained above, Mastercard encryption and client signature verification keys can only have one active key at a time. Inactive keys can be revoked at anytime, while active keys can only be revoked when they are the only key of that key type. This is intended to prevent you from accidentally revoking the key your application is actively using for encryption.

You can revoke a Mastercard encryption and client signature verification key using the the following steps:

1. Open your Mastercard Developers project with the key you want to revoke.   

2. Find the key on the "Sandbox credentials" or "Production credentials" screen and click *Revoke key* under the *Manage* menu.
   1. The key will need to be `inactive` or the only key of that key type if it's `active`   
      ![Step 2: Revoke Key in dropdown](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-revoke-mc-enc-cli-sig-ver-key-1.png)
3. Confirm you've selected the correct key, enter "REVOKE" in the text field and click the *Revoke* button.  
   ![Step 3: Confirm revoke key](https://static.developer.mastercard.com/content/platform/img/keyrenewaldocs/20250711-revoke-mc-enc-cli-sig-ver-key-2.png)
4. Your key has now been revoked.

## FAQs {#faqs}

Yes, key owners and project admins will get notifications 90, 60, 30, 15, 7, and 1 day(s) before the key expires. Upon expiration, key owners and project admins will receive an additional email, indicating that the key is no longer valid. Encryption and signature verification keys generated through Mastercard Developers are valid for 13 months.