# 💯 A Simple Process for Getting Daraja API Credentials

So you’re building an app or system that needs to talk to M-Pesa — nice! [Safaricom’s Daraja API](https://developer.safaricom.co.ke/) is your gateway to sending, receiving and checking M-Pesa transactions. But before your app can say hello to M-Pesa, you need something important: **API credentials.**

So let’s investigate and see what they are, how they are used and what they represent ☕️.

## What are API Credentials and Why are they Important❓️

Think of it like this:

> When you log in to a website e.g., [Hashnode](https://hashnode.com/onboard?loginWithEmail=true), you use your email and password.
> 
> When your **app logs in to Safaricom, it uses the Consumer Key(email) and Consumer Secret(password).**

These are used as security mechanisms to authenticate (*identify your app*) and authorize (*prove that it has permission*) to access the Safaricom M-Pesa services on your behalf.

In the case of **Daraja API (M-Pesa),** the API credentials usually include:

* Consumer Key (username/email)
    
* Consumer Secret (password)
    

They are used to:

* **Authenticate your app** — so safaricom knows who’s calling their services
    
* **Get access tokens** — which are temporary “passes/tickets” that let your app make secure requests
    
* **Protect the system** — only authorized apps can trigger requests e.g., STK Push.
    

🧪 **In Sanbox (Testing):**

They help you test M-Pesa operations without using real money. It’s safe for developers to experiment and build.

💵 **In Production (Live):**

They allow real money transactions. Since money is involved they are tightly controlled and require approval before use.

📝 **Important**

* Keep them secret (never share or expose them publicly).
    
* Store them securely (in .env variables or secret managers).
    
* They are **per app** — generate separate credentials for each shortcode/application.
    

## 🔍️ How do we Get These Credentials

### 1️⃣ Sign up for a Safaricom Developer Account

Whether you’re testing or going live, everything starts here:

1. Head over to [https://developer.safaricom.co.ke](https://developer.safaricom.co.ke)
    
2. Click **Sign Up** (or **Login** if you already have an account)
    
3. Fill in your details — KYC (Know Your Customer) process
    
4. Once you’re in, you’re now officiall a Safaricom developer 🎊
    

### 2️⃣ Get Sandbox Credentials

This is the staging area, here you get to play around, test your code/app, break stuff (safely), and make sure everything works before going live.

1. In the developer portal, go to **My Apps**
    
2. Click **Create a new app**
    
3. Give your app a name e.g., My App :)
    
4. Create App
    

A new application is created and you’ll see the **Consumer Key** and **Consumer Secret** in the app.

Use these credentials to move around funds, don’t worry any money you spend on sandbox will be reimbursed.

### 3️⃣ Apply for Production Credentials

Now you’re confident in your integration (or no callback requests from sandbox is now getting on your nerves 😠), it’s time to go live and make real transactions.

🖐🏿 Hold your horses, confirm if you have these:

1. A registered Company
    
2. Registered Shortcode (Paybill or Till Number)
    
3. Access to [M-Pesa Org Portal](https://org.ke.m-pesa.com/) (will be sent to your after registering shortcode)
    

🟩 Confirmed the above, here’s what you need to do:

1. In the developer portal click the **Go Live** tab
    
2. You’ll be asked to provide a few things:
    
    * Organization Short Code
        
    * Organization name
        
    * M-Pesa Username
        
3. Safaricom will review your app manually — this can take a few hours to a few days.
    

If everything checks out, you’ll be issued **Prod-App** which will contain live credentials — 🤝🏾 welcome to the big leagues.

Two emails will be shared with you i.e., one containing **Passkey** and some information on your live application, the other containing **live/prod api urls.**

## ☝🏿One More Thing — ( Security Credentials)

For some APIs (i.e., B2C), you’ll also need to generate a **Security Credential** to encrypt sensitive data, which is generated from **Initiator Password.**

Don’t worry I got you — [How to Get Initiator Name and Password](https://hashnode.com/post/cmaxzv2i0001g09lb2x4k3z9x)

## 💭 Final Thoughts

* Use sandbox to test everything first — it’s a lifesaver.
    
* Keep your credentials secret — don’t commit them to GitHub!
    
* Set up a public server or tunnel (ngrok) for your callbacks during testing.
    
* Read the docs.
