Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.moflay.com/llms.txt

Use this file to discover all available pages before exploring further.

The Moflay API uses API keys to authenticate public API requests. Send the key as a Bearer token in the Authorization header. 
Authorization: Bearer mof_test_your_api_key

API key prefixes

PrefixEnvironment
mof_test_Sandbox
mof_live_Production
The API key determines the business, environment, and permissions for the request. Do not pass business or environment IDs in public API requests.

Create and store keys

Create keys in the API Keys dashboard. Copy the raw key when it is created and store it in your secret manager or deployment environment variables. 
export MOFLAY_API_KEY="mof_test_your_api_key"
Treat API keys like passwords. Do not commit them to source code, expose them in frontend apps, or share them in support tickets.

Permissions

Each key has a permission set. Current public API permissions include:
PermissionAllows
express.payCreate M-Pesa Express payment requests
customers.readRead customer records
customers.writeCreate, update, or delete customer records
transactions.readRead transactions and payment status

Authentication errors

Missing API key

If you do not include the Authorization header, the API returns 401 Unauthorized. 
{
  "error": {
    "status": 401,
    "code": "missing_api_key",
    "message": "Missing API key in the authorization header."
  }
}

Invalid API key

If the key is incorrect, malformed, or not found, the API returns 403 Forbidden. 
{
  "error": {
    "status": 403,
    "code": "invalid_api_key",
    "message": "API key is invalid."
  }
}

Insufficient permissions

If the key does not have the permission required by an endpoint, the API returns 422 Unprocessable Entity. 
{
  "error": {
    "status": 422,
    "code": "invalid_access",
    "message": "The API key does not have the necessary permissions to access this resource."
  }
}