Overview
M-Pesa (via Safaricom's Daraja platform) is the dominant mobile money system in East Africa. Daraja exposes REST APIs (sandbox & production) that let you initiate payments (STK Push), accept customer-to-business (C2B) payments, and query transaction status. To integrate you will:
- Create an app on the Daraja developer portal to obtain credentials.
- Use the Authorization endpoint to obtain an access token.
- Initiate STK Push or handle C2B callbacks depending on your flow.
Official docs and the developer portal are the authoritative starting point for registration and sandbox setup. :contentReference[oaicite:0]{index=0}
Step 1 — Register and get credentials
Create an account on the Daraja portal, then create a sandbox app (My Apps). The portal gives you a Consumer Key and Consumer Secret for sandbox testing. Use the sandbox credentials during development. :contentReference[oaicite:1]{index=1}
Step 2 — Obtain an access token
Daraja uses an OAuth-like token for API calls. You exchange your Consumer Key and Secret for a short-lived access token (typically one hour). Most tutorials and SDKs show a simple Basic Auth request to the Authorization endpoint. Cache the token server-side and renew when it expires. :contentReference[oaicite:2]{index=2}
Example (PHP) — request access token
<?php
$consumerKey = 'YOUR_CONSUMER_KEY';
$consumerSecret = 'YOUR_CONSUMER_SECRET';
$credentials = base64_encode($consumerKey.':'.$consumerSecret);
$ch = curl_init('https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials');
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Authorization: Basic '.$credentials]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
$tokenData = json_decode($response, true);
// $tokenData['access_token']
?>Step 3 — Initiate STK Push (Lipa na M-Pesa)
STK Push prompts the customer on their phone to approve a payment. Your server constructs a request (with timestamp, BusinessShortCode, amount, callback URL) and posts it to the STK endpoint using the access token. Test this from the sandbox before going live. :contentReference[oaicite:3]{index=3}
Important: Webhooks / callbacks
M-Pesa sends asynchronous callbacks for STK and C2B events. Your callback endpoints must:
- Accept POSTs (JSON or form-encoded depending on the API)
- Return a 200 quickly (log then process)
- Verify payloads where possible and record transaction IDs and statuses for reconciliation
Step 4 — Go-live checklist
Before moving to production you should:
- Complete sandbox end-to-end testing (STK, C2B, callbacks).
- Prepare production callback endpoints and secure them (HTTPS, IP whitelisting where supported).
- Apply for production credentials and follow Safaricom's go-live instructions on the Daraja portal. :contentReference[oaicite:4]{index=4}
Libraries & examples
There are community PHP wrappers and example repos that implement Daraja flows — they are helpful as a reference but always follow the official docs for production behavior. :contentReference[oaicite:5]{index=5}
Security & reconciliation
Store transaction references and amounts from both your system and the callback to ensure reconciliation. Never log full secrets and rotate credentials if you suspect exposure. Use HTTPS everywhere.
Sample flow summary
- Obtain access token (server-side).
- Send STK Push request (server-side) with callback URL.
- User confirms on-phone; Safaricom hits your callback.
- Your callback verifies and updates order/payment status.
Conclusion
M-Pesa integration via Daraja gives you a reliable way to accept mobile payments in your PHP apps. Start in the sandbox, handle callbacks carefully, and follow Safaricom's go-live steps when ready. For the official docs and sandbox signup visit the Daraja developer portal. :contentReference[oaicite:6]{index=6}
Need a ready-made PHP STK Push handler or webhook tester? Contact us and we'll implement and test it for your platform.