The M-Pesa API
Kenyan businesses
actually trust

Accept STK Push payments in 3 lines of code. Real-time fraud detection, KYC verification, and a full analytics dashboard — all included. No hidden fees. No setup chaos.

Start Free — No Card Needed Read the Docs

1M+

Transactions

KSh 2B+

Processed

99.9%

Uptime SLA

1,000+

Businesses

SmartPay Wallet Dashboard

LIVE

Wallet Balance

^KSh48,250.00

+12.4% MTD

API Calls Left

8,420

Success Rate

94.2%

Recent Transactions

STK Push — 0712 *** 678

2 min ago · Confirmed

+KSh 3,200

STK Push — 0722 *** 441

14 min ago · Confirmed

+KSh 1,500

Fraud Detected — API Key

1 hr ago · Auto-suspended

BLOCKED

KYC Approved — Business

3 hr ago · Verified

VERIFIED

Platform features

More than just STK Push

SmartPay is the only Kenyan M-Pesa API with built-in fraud detection, KYC verification, and per-phone rate limiting — not just a pass-through to Daraja.

SmartPay exclusive

AI Fraud Detection — Real-Time

Every callback runs through our FraudDetector engine. It monitors failure rates, phone number diversity, and success ratios across your API key. Suspicious patterns trigger automatic suspension and admin alerts — before money moves. No other Kenyan payment API does this out of the box.

STK Push in 3 Lines

One endpoint, one auth header. Handles 254 prefix, leading zero, and all Kenyan phone formats automatically.

SmartPay exclusive

KYC Verification Built In

Full name, national ID, front/back photos, and selfie — stored securely outside webroot. Admin-reviewed before any live access is granted.

4-Layer Rate Limiting

IP, key-per-minute, key-per-day, and per-phone limits enforced before any STK Push fires. Stops abuse automatically.

Instant Webhooks

Callback arrives at your URL in milliseconds, in Safaricom's exact format. Failure and success both handled correctly.

Analytics Dashboard

Live revenue charts, transaction logs, failure rate monitoring, and month-over-month comparisons. Everything in one place.

Multi-App API Keys

Separate keys per application, each with independent rate limits, callback URLs, and payment destinations.

SMS Confirmations

Automatic SMS receipts to your customers on every confirmed payment. Built into the platform, no third-party needed.

SmartPay Wallet

Internal wallet with balance management, peer transfers, and routing to M-Pesa Till, Paybill, or bank accounts.

How it works

Live in under 10 minutes

From registration to your first real M-Pesa payment — no Safaricom Daraja account required to start.

Create Your Account

Register with your email. No contracts, no credit card. Your sandbox API key is issued immediately upon email verification.

Start Free

Configure

Set Up Your API Key

Set your payment destination — SmartPay wallet, Till number, Paybill, or bank. Add your callback URL. Choose your plan. Done.

View Dashboard

Go Live

Accept Real Payments

One API call triggers STK Push on your customer's phone. Callback hits your URL. Money lands in your account. Fraud detection runs silently throughout.

Read the Docs

Developer-first

One endpoint.
Three lines of PHP.

No SDK. No wrapper library. Plain HTTP to a single endpoint — works with every language, every framework.

No SDK required — plain HTTP with cURL, file_get_contents, Axios, or fetch
Complete docs with cURL, PHP, and JavaScript examples for every endpoint
Idempotent requests — safe to retry; HMAC reference numbers prevent double-charges
X-RateLimit headers on every response — know exactly how many calls remain
Transparent errors — every failure returns a descriptive machine-readable code

Full API Reference

stk_push.php

// Trigger M-Pesa STK Push — SmartPay API
$ch = curl_init('https://smartpaypesa.com/initiatestk');

curl_setopt_array($ch, [
    CURLOPT_POST           => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER     => [
        'Content-Type: application/json',
        'Authorization: ' . $YOUR_API_KEY,
    ],
    CURLOPT_POSTFIELDS => json_encode([
        'phone'  => '254712345678',
        'amount' => 1500,
    ]),
]);

$res  = json_decode(curl_exec($ch));
// $res->checkoutRequestID — poll or wait for callback

// Successful response:
{
  "success":           true,
  "checkoutRequestID": "ws_CO_17062025...",
  "message":           "STK Push sent",
  "rateLimit":         97
}

Enterprise security

Security that runs
before code does

SmartPay doesn't bolt security on after launch. Every layer — from IP validation to AI fraud scoring — runs before any payment is attempted.

AI Fraud Engine — real-time scoring on every Safaricom callback. High failure rates, phone diversity spikes, and low success ratios trigger auto-suspension.
Safaricom IP Whitelist — callbacks only accepted from Safaricom's published IP ranges. Spoofed callbacks are silently dropped.
CSRF + Session Hardening — HMAC-SHA256 tokens on every form. HttpOnly, Secure, SameSite cookies. Session ID regenerated on login.
4-Layer Rate Limiting — IP, key-per-minute, key-per-day, and per-phone (max 3 pushes / 5 min) enforced before STK Push fires.
KYC Gate — API keys cannot go live until business identity is verified and admin-approved. Prevents anonymous abuse.

HTTPS Only

All traffic TLS-encrypted end to end

CSRF Tokens

HMAC-validated on every action

AI Fraud Engine

Real-time pattern scoring

IP Whitelist

Safaricom IPs only

Rate Limiting

4 independent layers

Auto Alerts

Admin notified instantly

64-char API Keys

Cryptographically random

KYC Gate

Verified before going live

Pricing

Simple flat pricing.
No per-transaction fees.

Everything is included in your subscription. Fraud detection, KYC, analytics, SMS — not locked behind expensive tiers.

Starter

^KSh400

per month

M-Pesa STK Push API
Up to 1,000 API calls/month
Real-time webhooks
Fraud detection
Analytics dashboard
Email support

Get Started

The M-Pesa API Kenyan businesses actually trust