💯 A Simple Process for Getting Daraja API Credentials

So you’re building an app or system that needs to talk to M-Pesa — nice! Safaricom’s Daraja API is your gateway to sending, receiving and checking M-Pesa transactions. But before your app can say hello to M-Pesa, you need something important: API credentials.
So let’s investigate and see what they are, how they are used and what they represent ☕️.
What are API Credentials and Why are they Important❓️
Think of it like this:
When you log in to a website e.g., Hashnode, you use your email and password.
When your app logs in to Safaricom, it uses the Consumer Key(email) and Consumer Secret(password).
These are used as security mechanisms to authenticate (identify your app) and authorize (prove that it has permission) to access the Safaricom M-Pesa services on your behalf.
In the case of Daraja API (M-Pesa), the API credentials usually include:
Consumer Key (username/email)
Consumer Secret (password)
They are used to:
Authenticate your app — so safaricom knows who’s calling their services
Get access tokens — which are temporary “passes/tickets” that let your app make secure requests
Protect the system — only authorized apps can trigger requests e.g., STK Push.
🧪 In Sanbox (Testing):
They help you test M-Pesa operations without using real money. It’s safe for developers to experiment and build.
💵 In Production (Live):
They allow real money transactions. Since money is involved they are tightly controlled and require approval before use.
📝 Important
Keep them secret (never share or expose them publicly).
Store them securely (in .env variables or secret managers).
They are per app — generate separate credentials for each shortcode/application.
🔍️ How do we Get These Credentials
1️⃣ Sign up for a Safaricom Developer Account
Whether you’re testing or going live, everything starts here:
Head over to https://developer.safaricom.co.ke
Click Sign Up (or Login if you already have an account)
Fill in your details — KYC (Know Your Customer) process
Once you’re in, you’re now officiall a Safaricom developer 🎊
2️⃣ Get Sandbox Credentials
This is the staging area, here you get to play around, test your code/app, break stuff (safely), and make sure everything works before going live.
In the developer portal, go to My Apps
Click Create a new app
Give your app a name e.g., My App :)
Create App
A new application is created and you’ll see the Consumer Key and Consumer Secret in the app.
Use these credentials to move around funds, don’t worry any money you spend on sandbox will be reimbursed.
3️⃣ Apply for Production Credentials
Now you’re confident in your integration (or no callback requests from sandbox is now getting on your nerves 😠), it’s time to go live and make real transactions.
🖐🏿 Hold your horses, confirm if you have these:
A registered Company
Registered Shortcode (Paybill or Till Number)
Access to M-Pesa Org Portal (will be sent to your after registering shortcode)
🟩 Confirmed the above, here’s what you need to do:
In the developer portal click the Go Live tab
You’ll be asked to provide a few things:
Organization Short Code
Organization name
M-Pesa Username
Safaricom will review your app manually — this can take a few hours to a few days.
If everything checks out, you’ll be issued Prod-App which will contain live credentials — 🤝🏾 welcome to the big leagues.
Two emails will be shared with you i.e., one containing Passkey and some information on your live application, the other containing live/prod api urls.
☝🏿One More Thing — ( Security Credentials)
For some APIs (i.e., B2C), you’ll also need to generate a Security Credential to encrypt sensitive data, which is generated from Initiator Password.
Don’t worry I got you — How to Get Initiator Name and Password
💭 Final Thoughts
Use sandbox to test everything first — it’s a lifesaver.
Keep your credentials secret — don’t commit them to GitHub!
Set up a public server or tunnel (ngrok) for your callbacks during testing.
Read the docs.
Subscribe to my newsletter
Read articles from Coiled Coder directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
