💯 A Simple Process for Getting Daraja API Credentials

So you’re building an app or system that needs to talk to M-Pesa — nice! Safaricom’s Daraja API is your gateway to sending, receiving and checking M-Pesa transactions. But before your app can say hello to M-Pesa, you need something important: API credentials.

So let’s investigate and see what they are, how they are used and what they represent ☕️.

What are API Credentials and Why are they Important❓️

Think of it like this:

When you log in to a website e.g., Hashnode, you use your email and password.

When your app logs in to Safaricom, it uses the Consumer Key(email) and Consumer Secret(password).

These are used as security mechanisms to authenticate (identify your app) and authorize (prove that it has permission) to access the Safaricom M-Pesa services on your behalf.

In the case of Daraja API (M-Pesa), the API credentials usually include:

• Consumer Key (username/email)

• Consumer Secret (password)

They are used to:

• Authenticate your app — so safaricom knows who’s calling their services

• Get access tokens — which are temporary “passes/tickets” that let your app make secure requests

• Protect the system — only authorized apps can trigger requests e.g., STK Push.

🧪 In Sanbox (Testing):

They help you test M-Pesa operations without using real money. It’s safe for developers to experiment and build.

💵 In Production (Live):

They allow real money transactions. Since money is involved they are tightly controlled and require approval before use.

📝 Important

• Keep them secret (never share or expose them publicly).

• Store them securely (in .env variables or secret managers).

• They are per app — generate separate credentials for each shortcode/application.

🔍️ How do we Get These Credentials

1️⃣ Sign up for a Safaricom Developer Account

Whether you’re testing or going live, everything starts here:

1. Head over to https://developer.safaricom.co.ke

2. Click Sign Up (or Login if you already have an account)

3. Fill in your details — KYC (Know Your Customer) process

4. Once you’re in, you’re now officiall a Safaricom developer 🎊

2️⃣ Get Sandbox Credentials

This is the staging area, here you get to play around, test your code/app, break stuff (safely), and make sure everything works before going live.

1. In the developer portal, go to My Apps

2. Click Create a new app

3. Give your app a name e.g., My App :)

4. Create App

A new application is created and you’ll see the Consumer Key and Consumer Secret in the app.

Use these credentials to move around funds, don’t worry any money you spend on sandbox will be reimbursed.

3️⃣ Apply for Production Credentials

Now you’re confident in your integration (or no callback requests from sandbox is now getting on your nerves 😠), it’s time to go live and make real transactions.

🖐🏿 Hold your horses, confirm if you have these:

1. A registered Company

2. Registered Shortcode (Paybill or Till Number)

3. Access to M-Pesa Org Portal (will be sent to your after registering shortcode)

🟩 Confirmed the above, here’s what you need to do:

1. In the developer portal click the Go Live tab

2. You’ll be asked to provide a few things:

   • Organization Short Code

   • Organization name

   • M-Pesa Username

3. Safaricom will review your app manually — this can take a few hours to a few days.

If everything checks out, you’ll be issued Prod-App which will contain live credentials — 🤝🏾 welcome to the big leagues.

Two emails will be shared with you i.e., one containing Passkey and some information on your live application, the other containing live/prod api urls.

☝🏿One More Thing — ( Security Credentials)

For some APIs (i.e., B2C), you’ll also need to generate a Security Credential to encrypt sensitive data, which is generated from Initiator Password.

Don’t worry I got you — How to Get Initiator Name and Password

💭 Final Thoughts

• Use sandbox to test everything first — it’s a lifesaver.

• Keep your credentials secret — don’t commit them to GitHub!

• Set up a public server or tunnel (ngrok) for your callbacks during testing.

• Read the docs.