# API Basics source: https://developer.mastercard.com/token-requestor-identifier-api/documentation/api-basics/index.md ## API Security {#api-security} Mastercard uses OAuth 1.0a with a body hash extension for authenticating the API clients. [OAuth 1.0a](https://oauth.net/core/1.0a/) is an authentication and authorization protocol that guarantees the integrity and authenticity of incoming API calls and allows for non-repudiation of requests. OAuth 1.0a requires every request that you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of: 1. A private key for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore. Data encrypted using a public key can only be decrypted using the corresponding private key. 2. A public key is shared with Mastercard during the project setup process through either a certificate signing request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature that is provided on every API call. * Requests with a body must be signed using the Google Request Body Hashopens in a new tab extension for OAuth. * The OAuth keys for your project can be set up on your project dashboard here (Developer Dashboard) after you create a project. Tip: Do you want to learn more about the authentication scheme Mastercard uses? Read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide. ## Environment Descriptions {#environment-descriptions} The table below describes the different environments that are available for the Token Requestor Identifier (TRID) API: | Environment Name | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Sandbox | The sandbox environment is a pre-production test environment where developers can experiment with API calls without affecting real data or systems, ensuring that any errors or issues can be safely identified and resolved. To access Sandbox, select Reference Service API when setting up My Projects. | | Production | The production environment is the live environment setting where the API interacts with actual users and the data environment. To access production, you need to select Request Production Access in the Reference Service project you have set up. | ## How to Consume the API? {#how-to-consume-the-api} There are multiple ways of integrating with Token Requestor Identifier (TRID) API: * **Generating your own Token Requestor Identifier (TRID) API client (recommended)** Create customizable API clients from the Token Requestor Identifier (TRID) API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended. Follow the [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/getting-started-with-mastercard-apis/) guide with the specification available on the [API specification](https://developer.mastercard.com/token-requestor-identifier-api/documentation/api-reference/index.md) page. * **Using a method of your choice** Token Requestor Identifier exposes a REST API on the [API specification](https://developer.mastercard.com/token-requestor-identifier-api/documentation/api-reference/index.md) page. You are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) for signing your requests. ## Next Steps {#next-steps} Now that you have an understanding of the service authentication and encryption, proceed to the [Quick Start Guide](https://developer.mastercard.com/token-requestor-identifier-api/documentation/quick-start-guide/index.md) section to learn how to access the API and generate your credentials.