DEV Community

Sospeter Mong'are
Sospeter Mong'are

Posted on

How to Go Live on the M-Pesa Daraja API

#api #mpesa #daraja

Sandbox testing done? Here's the exact, step-by-step process to get real production credentials from the Daraja portal - faster than you think.

If you've built an STK Push integration that works flawlessly in sandbox and you're wondering "what now?" - this guide is for you. The good news: the new Daraja portal has made going live surprisingly self-service. No lengthy email chains, no weeks of waiting. Just a form, an OTP, a product selection, and your production Consumer Key lands in your apps dashboard. Your Passkey lands straight in your inbox.

Let's walk through the whole thing from start to finish.

What "Going Live" on Daraja Actually Means

Safaricom's Daraja portal gives every developer two environments:

  • Sandbox - fake shortcodes, simulated money, instant access. Perfect for building and breaking things safely.
  • Production - your real Paybill or Till number, real customer money, real consequences if something breaks.

"Going live" is the process of provisioning a production app against your actual business shortcode. Once done, Safaricom creates a new production app under My Apps, gives you a live Consumer Key and Consumer Secret, and emails you your Passkey - the credentials you'll use to call real M-Pesa endpoints.

Before You Start: Prerequisites You Actually Need

Don't touch the Go Live button until these are in place. Missing any one will stop you cold mid-process.

1. A Daraja Developer Account

Register at developer.safaricom.co.ke as an individual or company if you haven't already. You need to be logged in to access the Go Live menu.

2. A Working Sandbox Integration

The Go Live form doesn't ask you to prove it, but it's implicit - you should have already tested your STK Push, C2B, or B2C flow end-to-end in sandbox, including callback handling. Going live against an untested integration is how you end up with real customer money in a broken system.

3. A Live Safaricom Business Shortcode

This is the most common blocker. Your Paybill or Till number must already be registered with Safaricom's business team - a completely separate process from the developer portal. Apply for this early; it often takes longer than the technical work. The Go Live form will ask for your shortcode, so have it ready.

4. Your M-PESA Portal Username

The form requires your Business Admin or Business Manager username from the M-PESA Business Portal (https://org.ke.m-pesa.com/) - not your Daraja login credentials. This is how Safaricom verifies you're authorized to link that shortcode to a production developer app.

5. Access to Your Registered Phone Number / Email for OTP

Step 2 of the Go Live flow sends an OTP to the contact details registered on your account. Make sure you have access to it.

6. A Live HTTPS Callback URL

For APIs like STK Push (Lipa Na M-Pesa), C2B, and B2C, your ResultURL, ConfirmationURL, and ValidationURL must be publicly accessible over HTTPS with a valid SSL certificate. Localhost and Ngrok tunnels don't belong in production.

Step-by-Step: How to Go Live on the Daraja Portal

Step 1: Click "Go Live" in the Sidebar

Log in to your Daraja account. On the left sidebar, you'll see the Go Live menu item - it sits between Test Credentials and APIs. Click it.

The page opens with a clean two-step form: Organization Information → Enter OTP.

Step 2: Fill in Your Organization Information

Going Live - page 1

The first screen asks for four fields:

Field What to Enter
Verification Type Select Short Code from the dropdown
Organization ShortCode Your live Paybill, Till Number, Head Office, B2C, or Store Number
Organization Name Your company or business name
M-PESA Username Your Business Admin/Manager username from the M-PESA Business Portal

Accept Safaricom's Terms and Conditions by ticking the checkbox, then click Next.

Pro tip: Your Organization ShortCode and Organization Name must match exactly what's registered on the M-PESA Business Portal. A mismatch is the most common reason this step fails.

Step 3: Enter the OTP

Safaricom sends a One-Time Password to your registered contact (phone or email). Enter it on the second screen to verify your identity and authorize the go-live request.

Didn't receive it? Hit Resend Code - it usually arrives within a minute.

Step 4: Select Your Production APIs

After OTP verification, you'll land on the product selection screen - this is where you tell Safaricom exactly which M-Pesa APIs your app needs in production. The available products include:

  • Lipa Na M-Pesa Production - STK Push and Query (what most apps need for collecting payments)
  • C2B v2 - Customer To Business payments with minimized data
  • B2C - Business To Customer disbursements (e.g. paying out winnings, salaries, refunds)
  • B2B - Business Buy Goods, Business Pay Bill, and B2C Account Top Up
  • Transaction Status - Check the status of any M-Pesa transaction
  • Account Balance - Query your business account balance
  • Reversal - Reverse a completed transaction
  • Dynamic QR - Generate QR codes for payments
  • M-Pesa Ratiba - Recurring/scheduled payment activation
  • Pull Transactions Prod - Pull transaction records via API
  • Mobile Number Validation - Validate mobile numbers against M-Pesa

Tick only what you actually need. Don't check everything by default - each API maps specific permissions to your shortcode, and requesting ones you don't need can cause issues, particularly the B2C/C2B split (a C2B shortcode and a B2C shortcode cannot share the same production app).

Once you've made your selections, click Submit.

Step 5: See the Success Screen and Check Your Apps

Daraja immediately shows a "You have successfully applied for production developer app" confirmation. It also tells you:

"Please check your email for production API URLs against your selected products. Next, we will direct you to view your apps."

Go Live - Success

Click View Your Apps.

Under My Apps, you'll now see your new production app separate from your sandbox apps. Open it and you'll find your:

  • Consumer Key (production)
  • Consumer Secret (production)

Your Passkey for Lipa Na M-Pesa (STK Push) is sent directly to your registered email - check your inbox.

STK Push Credentials

Now Update Your Code: The Production Swap Checklist

Getting credentials is one thing. Wiring them up correctly is another. Run through this checklist before you process a single live transaction:

  • Replace your sandbox Consumer Key and Consumer Secret with the production ones from your new app.
  • Switch your base URL from https://sandbox.safaricom.co.ke to https://api.safaricom.co.ke.
  • Update your Shortcode from the sandbox test shortcode (174379 for STK Push) to your real Paybill/Till number.
  • Replace your Passkey with the one received in your email - it's different from the sandbox passkey.
  • Regenerate your SecurityCredential using Safaricom's production public certificate (not the sandbox one). Using the wrong certificate is the #1 cause of ResultCode 8006 (Initiator locked) errors for B2C and Account Balance APIs.
  • Verify your Initiator Name and password in the M-PESA Business Portal under the API User section - they must match exactly what you send in B2C/Account Balance requests.
  • Confirm your callback URLs are live, HTTPS, publicly accessible, and returning 200 OK with a valid JSON body.

Your First 24 Hours After Go-Live

Production credentials aren't a finish line - they're a starting gun. Do these before you open up to real users:

  1. Run one small real transaction end-to-end. Trigger an STK Push to yourself for KES 1 and confirm the full loop: request → customer prompt → payment → callback → your database updates correctly.
  2. Log everything. Every API request, every response, every callback payload. You'll need this for reconciliation and for any Safaricom support tickets.
  3. Implement retry logic for callbacks. Safaricom's callback delivery isn't guaranteed on the first attempt - networks fail. Build a retry mechanism or use a queue.
  4. Watch your access token expiry. Production tokens expire every 3600 seconds (1 hour). Never hardcode one - always regenerate before it expires.
  5. Set up transaction monitoring. Unusual error rates, repeated ResultCode failures, or missing callbacks should alert you before your customers notice.

Common Issues After Going Live

ResultCode 8006 - Initiator locked
Your SecurityCredential was generated using the sandbox certificate. Regenerate it using the production certificate from the Daraja portal.

STK Push request goes through but no callback arrives
Your callback URL isn't reachable from Safaricom's servers. Check that it's HTTPS, publicly accessible, and not blocked by a firewall or Cloudflare rule.

"Invalid Access Token" errors
Your token expired. Implement automatic token refresh - generate a new one before every request or cache it with an expiry buffer of ~50 minutes.

Sandbox credentials still working, production returning errors
You missed one of the URL swaps. Double-check every URL, not just the base URL - some SDKs construct endpoint paths in ways that can still hit the sandbox host.

Final Thoughts

The Daraja go-live process on the new portal is genuinely self-service and fast - if your prerequisites are in order, you can go from clicking "Go Live" to having a production Consumer Key in your dashboard in under 10 minutes. The bottleneck is almost never the portal itself; it's having your shortcode registered, your M-PESA Portal username ready, and your callbacks deployed to a live server before you sit down to do this.

Get those in place, and going live is just a form, an OTP, and a checkbox away.

Hit a specific error during your Daraja go-live - like ResultCode 8006, a missing passkey email, or a callback that never fires? Drop it in the comments or reach out to me on : Email

Top comments (0)