Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.moflay.com/llms.txt

Use this file to discover all available pages before exploring further.

Production credentials link your live Safaricom Daraja app to Moflay so STK Push requests use your real till or paybill.

Prerequisites

  • A Moflay organization with access to the production environment
  • A valid till or paybill from your M-Pesa business onboarding (live shortcode)
  • Access to the Safaricom Daraja developer portal

Part A: Obtain values from Safaricom

Safaricom’s portal labels and steps change over time. Use developer.safaricom.co.ke and the official API documentation inside the portal as the source of truth—not third-party tutorials. At a high level, you will:
  1. Register or sign in to the Daraja developer portal (often a company account for production use).
  2. Create or open an app tied to your integration and enable the Lipa na M-Pesa Online / STK Push (or equivalent) product for that app.
  3. Complete any go-live or production onboarding steps the portal requires for live traffic.
  4. Collect the following for your live app (names may appear slightly differently in the portal):
ValuePurpose
Consumer keyOAuth2 client id for Daraja
Consumer secretOAuth2 client secret; with the key, used to obtain a bearer access token
Business shortcodeYour live till or paybill number used in API requests
PasskeyUsed with the shortcode (and timestamp) to build the STK password field
Shortcode typeWhether the shortcode is a till or paybill (or the type Moflay expects in the dashboard)
Sandbox vs production: Test apps and keys use Safaricom’s sandbox base URL; production uses the live host. Moflay stores your credentials per environment—you paste production values only when production is selected in the dashboard. If anything in the portal disagrees with this page, follow the portal.

Part B: Add credentials to Moflay

1

Open the production environment

Go to Credentials in the Moflay dashboard and switch from sandbox to production.
2

Enter the live Daraja values

Paste your consumer key, consumer secret, shortcode, and passkey. Choose the correct short code type (for example till or paybill).
3

Save the configuration

Save so Moflay encrypts and stores the credentials for your business in production.
4

Create a production API key

Generate a mof_live_ API key for the service that will call Moflay in production.

Why Moflay does not ask for a Callback URL here

Moflay sets Safaricom’s STK CallBackURL automatically when initiating each payment. Your server should listen for Moflay webhooks, not raw Daraja callbacks. See Daraja callbacks.

Important behavior

  • Moflay exchanges OAuth tokens with Daraja using the stored key and secret—you do not implement token requests yourself.
  • Your backend should consume Moflay webhooks for lifecycle events (for example payment.completed). See Webhook events.

Verify the result

Your production setup is complete when:
  • Credentials save successfully in the production environment
  • Credentials show as active and valid in the dashboard
  • A mof_live_ API key authenticates successfully
  • A controlled live payment test completes end to end

Troubleshooting

  • Payment request fails immediately: Recheck consumer key, consumer secret, shortcode, passkey, and shortcode type. See Credential security if you suspect leakage or rotation issues.
  • Sandbox works but production does not: Confirm you switched both the credentials page and your API key to production.
  • Your backend never sees final status: Configure Moflay webhooks and verify signature verification. See Daraja callbacks for how status is determined.