# API Basics
source: https://developer.mastercard.com/track-search/documentation/api-basics/index.md

## API Security {#api-security}

### Client Authentication {#client-authentication}

|          Authentication Protocol           |                                                                                                                                Details                                                                                                                                |
|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [OAuth 1.0a](https://oauth.net/core/1.0a/) | Mastercard uses OAuth 1.0a with a body hash extension for authenticating the API clients. OAuth 1.0a is an authentication and authorization protocol that guarantees the integrity and authenticity of incoming API calls and allows for non-repudiation of requests. |

OAuth requires every request that you send to Mastercard to be signed with an RSA private key. A private-public RSA key pair must be generated consisting of:   

1. A **private key** for the OAuth signature for API requests. It is recommended to keep the private key in a password-protected or hardware keystore. Data encrypted using a public key can only be decrypted using the corresponding private key.   
2. A **public key** is shared with Mastercard during the project setup process through either a certificate signing request (CSR) or the API Key Generator. Mastercard will use the public key to verify the OAuth signature that is provided on every API call.

* Requests with a body must be signed using the [Google Request Body Hash](https://datatracker.ietf.org/doc/id/draft-eaton-oauth-bodyhash-00.html) extension for OAuth.
* The OAuth keys for your project can be set up on your project dashboard here ([Developer Dashboard](https://developer.mastercard.com/dashboard)), after you create a project.

Tip: Do you want to learn more about the authentication scheme Mastercard uses? For more, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

### How to Consume the Search API? {#how-to-consume-the-search-api}

The two ways of integrating with The Track Search API are:

* [Using a generated API client (recommended)](https://developer.mastercard.com/track-search/documentation/api-basics/index.md#generating-your-own-track-search-api-client)

* [Using a method of your choice](https://developer.mastercard.com/track-search/documentation/api-basics/index.md#using-a-method-of-your-choice)

#### Using a generated API client {#using-a-generated-api-client}

Create customizable API clients from the Search API specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended.

Follow the steps in [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) to generate an API client to use Mastercard APIs and enable authentication.

#### Using a method of your choice {#using-a-method-of-your-choice}

Search exposes a REST API that you can use with an REST/HTTP client of your choice while leveraging the Mastercard open-source [client libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) for signing your requests.

For more information on using the Search API with an REST/HTTP client of your choice, refer to the [API Reference](https://developer.mastercard.com/track-search/documentation/api-reference/index.md) section.

## Environments {#environments}

The table below describes the two different environments that are available for Mastercard Track Search.

| **Environment** |                                                                                                                                                                **Description**                                                                                                                                                                |
|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Use the sandbox environment to test your integrations. While all validations are applied, the data returned is not real and may change between requests. Sandbox requests do not go through the matching process. Therefore, Sandbox requests process quicker than production requests. Use your Sandbox key to access the Sandbox endpoints. |
| Production      | Use the production environment to get real payments data about your trading partners. Once your production access has been approved, use your Production key to access the production endpoints.                                                                                                                                              |

## Next Steps {#next-steps}

Now that you have an understanding of the services authentication and encryption, proceed to the [Quick Start Guide](https://developer.mastercard.com/track-search/documentation/quick-start-guide/index.md) section to learn how to access the API and generate your credentials.