# API Basics
source: https://developer.mastercard.com/user-account-management-service/documentation/api-basics/index.md

## API Security {#api-security}

### Client Authentication {#client-authentication}

Mastercard uses OAuth 1.0a for authenticating your application. You can manage your authentication keys from your [Developer Dashboard](https://developer.mastercard.com/dashboard) after you created a project using Mastercard Loyalty Management.
Tip: Do you want to learn more about the authentication scheme Mastercard uses? For that, read our [Using OAuth 1.0a to Access Mastercard APIs](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/) guide.

### Encryption {#encryption}

The transport between client applications and Mastercard is secured using [TLS/SSL](https://en.wikipedia.org/wiki/Transport_Layer_Security), which means data is encrypted by default when transmitted across networks. Whereas sensitive data like card numbers (Payment Card Industry Data Security Standard) are sent, the entire request payload should be encrypted using the JWE encryption scheme. For further details, refer to [Securing Sensitive Data Using Payload Encryption.](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/)

### Encryption Libraries {#encryption-libraries}

Mastercard has abstracted the encryption scheme into our [client encryption libraries](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#client-libraries), which are available in several of the most used development languages. We highly recommend that you utilize these libraries to encrypt the sensitive data used by this service.

## How to Consume the User Account Management API? {#how-to-consume-the-user-account-management-api}

Note: There are multiple ways of integrating with User Account Management Service:

1. Using a generated API client (recommended)
2. Using a method of your choice

### Generating your API client {#generating-your-api-client}

Create customizable API clients from the User Account Management Service specification and let Mastercard open-source client libraries handle the authentication for you. This approach offers more flexibility and is strongly recommended.

For this, follow our [Generating and Configuring a Mastercard API Client](https://developer.mastercard.com/platform/documentation/security-and-authentication/generating-and-configuring-a-mastercard-api-client/) tutorial with the following API specification:
[user-account-management-api-swagger.yaml](https://static.developer.mastercard.com/content/user-account-management-service/swagger/user-account-management-api-swagger.yaml) (91KB)

### Using a method of your choice {#using-a-method-of-your-choice}

User Account Management exposes a REST API: you are free to use the REST/HTTP client of your choice and can still leverage the Mastercard open-source [client authentication](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#client-libraries) and [client encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/#client-libraries) libraries for signing your requests and dealing with payload encryption.

For that, refer to the User Account Management Service [REST API Reference](https://developer.mastercard.com/user-account-management-service/documentation/api-reference/index.md).

## Environments {#environments}

The table below describes the two different environments that are available.

| **Environment** |                                                                                                                                 **Description**                                                                                                                                 |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sandbox         | Pre-production test environment containing the latest pre-release version of the real APIs, intended for full integration testing prior to moving to production. Use your Sandbox keys to authenticate with this environment. The keys are set up when you create your project. |
| Production      | Full production environment containing the latest production API release.                                                                                                                                                                                                       |