# API Basics
source: https://developer.mastercard.com/presentment/documentation/api-basics/index.md

## Client authentication {#client-authentication}

To access Mastercard APIs, you will need to configure your API client to authenticate using one of the following supported authentication protocols.

| Authentication protocol |                                                                                                                            Description                                                                                                                             |                                                                     Reference information                                                                      |
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| OAuth 1.0a              | This is the default authentication mechanism used by most APIs on Mastercard Developers. OAuth 1.0a is an authentication and authorization protocol that guarantee the integrity and authenticity of incoming API calls and allow for non-repudiation of requests. | [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) |
| OAuth 2.0               | Mastercard APIs use the OAuth 2.0 client credentials flow to authenticate API clients, and [FAPI 2.0](https://openid.bitbucket.io/fapi/fapi-security-profile-2_0.html), a security profile built for financial services.                                           | [Using OAuth 2.0 to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-2-to-access-mastercard-apis/)   |
| Mutual TLS (mTLS)       | Mutual TLS authentication is a two-way authentication mechanism based on Transport Layer Security (TLS) that uses digital certificates signed using the Public Key Infrastructure framework.                                                                       | [Using MTLS to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-mtls-to-access-mastercard-apis/)           |

You can manage your authentication keys from your  [Developer Dashboard](https://developer.mastercard.com/dashboard/) after you have created a project for Offers for Publishers or User Account Administration.

### Upgrade to OAuth 2.0 {#upgrade-to-oauth-20}

If your Mastercard Developers project uses OAuth 1.0a and the APIs in your project support OAuth 2.0, you can upgrade your project to support both authentication methods. To upgrade, follow the steps in the [Upgrading Keys to OAuth 2.0](https://developer.mastercard.com/platform/documentation/credential-management/oauth-key-management/#upgrading-keys-to-oauth-20) section.

## Transport Encryption {#transport-encryption}

All connections to Mastercard are secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security). Data is secured by default when transmitted across networks. However, Mastercard additionally uses end-to-end payload encryption for sensitive data such as personally identifiable information (PII).
Note: Visit [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/) to learn more about our encryption methods.

### JWE {#jwe}

|                       Authentication Protocol                        |                                                                                                                                                                             Details                                                                                                                                                                             |
|----------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [JSON Web Encryption](https://datatracker.ietf.org/doc/html/rfc7516) | JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures [RFC7159](https://datatracker.ietf.org/doc/html/rfc7159) and base64url encoding. Mastercard uses [JWE compact serialization](https://datatracker.ietf.org/doc/html/rfc7516#section-7.1) for the encryption of sensitive data and supports full body payload encryption. |

Tip: To learn more about the encryption scheme Mastercard uses, refer to the [JWE Encryption Guide](https://developer.mastercard.com/platform/documentation/authentication/securing-sensitive-data-using-payload-encryption/#jwe-encryption).

## Consume the Offers for Publishers API {#consume-the-offers-for-publishers-api}

Tip: Mastercard recommends using [OpenAPI Generator](https://openapi-generator.tech/) to integrate with the Offers for Publishers Service.

### Generating your own Offers for Publishers API client {#generating-your-own-offers-for-publishers-api-client}

Create a customizable API client from the Offers for Publishers API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is recommended. Follow the  [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/generating-and-configuring-a-mastercard-api-client/)  tutorial with the API specifications in the [API Reference](https://developer.mastercard.com/presentment/documentation/api-reference/index.md) section.

### Using a method of your choice {#using-a-method-of-your-choice}

Offers for Publishers exposes a REST API. You are free to use the REST/HTTP client of your choice and can still use the Mastercard open-source client libraries for signing your requests:

* [Client libraries for OAuth 1.0a](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries)
* [Client libraries for OAuth 2.0](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-2-to-access-mastercard-apis/#client-libraries)

<br />

Refer to the Offers for Publishers [API Reference](https://developer.mastercard.com/presentment/documentation/api-reference/presentment/index.md) section for details.

## Environments {#environments}

The table describes the two different environments that are available.

| Environment |                                                                                                         Description                                                                                                          |                                                      Base URLs                                                      |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| Sandbox     | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration testing prior to moving to production. Use your Sandbox key to authenticate with this environment. | `https://sandbox.api.mastercard.com/loyalty/offers` `https://sandbox.api.mastercard.com/loyalty/offers/presentment` |
| Production  | Full production environment containing the latest production API release. Use your Production key to authenticate with this environment.                                                                                     | `https://api.mastercard.com/loyalty/offers` `https://api.mastercard.com/loyalty/offers/presentment`                 |

Note: **Environment-specific auth/encryption:** OAuth 1.0a authentication, OAuth 2.0 authentication, and JWE payload encryption are identical across Sandbox and Production. The only difference is the base URL. No additional auth or encryption steps are required when promoting to Production.

## Next steps {#next-steps}

Now that you have an understanding of the authentication and encryption requirements, proceed to the [Quick Start Guide](https://developer.mastercard.com/presentment/documentation/quick-start-guide/index.md) section to learn how to access the API and generate your credentials.
