# API Basics
source: https://developer.mastercard.com/priceless-specials/documentation/api-basics/index.md
The Priceless Specials API is organized around [REST](https://en.wikipedia.org/wiki/Representational_state_transfer) principles. The API has predictable resource-oriented URLs, accepts [JSON](https://www.json.org/json-en.html) request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs.
## Authentication {#authentication}
The Priceless Specials API uses API keys to authenticate requests. Mastercard uses one-legged [OAuth 1.0a](https://oauth.net/core/1.0a/) for authenticating and authorizing client applications. It means, every request sent must be digitally signed, and requests with valid signatures created by authorized clients are granted access to the services. Also, requests with a body must be signed using the Google Request Body Hash extension for OAuth. If you do not include your key when requesting the API or use the incorrect or outdated key, Mastercard will return an error.
In short, before sending a request to the API:
* You must use the private key to create the OAuth signature for all your requests. We recommend storing your private key in a password-protected or hardware key store.
* The public key is shared with Mastercard during the setup process as a Certificate Signing Request (CSR). Mastercard will use the public key to verify the OAuth signature that you will provide on every API call.
Refer to the following pages for more details:
* [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#overview)
* [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/)
### Obtaining API keys {#obtaining-api-keys}
The API keys are available in your project dashboard on Mastercard Developers. You will use the Sandbox API keys for testing and development. A different set of keys are required for the Production environment.
Note: If you have not downloaded the keys yet, refer to the [Tutorials and Guides](https://developer.mastercard.com/priceless-specials/documentation/tutorials-and-guides/index.md) section.
## Encryption {#encryption}
The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks. Where sensitive data like Personally Identifiable Information (PII) is sent, this is also encrypted using the Mastercard encryption scheme. For further details, refer to [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/securing-sensitive-data-using-payload-encryption/).
## Environments {#environments}
The following table describes the different environments that are available.
| Environment | Description |
|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox | It is the test environment intended for full integration testing before moving to production. At this stage, use the Sandbox keys generated during the [Sandbox project creation](https://developer.mastercard.com/priceless-specials/tutorial/create-sandbox-apis/index.md). |
| Production | It is the production environment that contains the latest production API release. You can request approval to obtain the Production keys. Once approved, you can proceed to complete testing in the Production environment. |