The Complete Guide to M-Pesa Integration for Online Stores

M-Pesa processes over 60 billion KES in transactions daily. For any Kenyan ecommerce business, M-Pesa integration isn't optional — it's essential. This guide covers everything you need to know about adding M-Pesa to your online store.

Understanding the Daraja API

Safaricom's Daraja API is the official gateway for M-Pesa integration. It supports several transaction types, but for ecommerce, you'll primarily use Lipa Na M-Pesa Online (STK Push). This sends a payment prompt directly to your customer's phone — they just enter their PIN and the payment is processed. No manual paybill entry, no room for errors.

STK Push: The Gold Standard

STK Push is the checkout experience your customers expect. Here's how it works: the customer clicks 'Pay', enters their phone number, receives a prompt on their phone, enters their M-Pesa PIN, and the payment is confirmed — all within 10 seconds. Compare this to asking customers to go to M-Pesa, navigate to Lipa Na M-Pesa, enter your paybill number, account number, and amount manually. The STK Push approach reduces checkout friction dramatically.

Setting Up Your Business

To integrate M-Pesa, you need: a Safaricom Paybill or Till Number (apply through Safaricom Business), a Daraja API developer account (free to create at developer.safaricom.co.ke), and your API credentials (Consumer Key and Consumer Secret). The application process takes 2–5 business days for the Paybill/Till, and API access is instant once you have your business shortcode.

Handling Callbacks & Confirmations

When a payment is processed, Safaricom sends a callback to your server with the transaction details. Your store needs to listen for these callbacks, verify the payment amount matches the order total, and then update the order status automatically. This is where many DIY integrations fail — handling edge cases like timeouts, insufficient funds, and duplicate callbacks requires careful engineering.

Security Best Practices

Never expose your API credentials on the frontend. All M-Pesa API calls should happen server-side. Use HTTPS for all callback URLs. Validate every callback against the expected transaction details. Implement idempotency to handle duplicate callbacks gracefully. And always log every transaction for reconciliation purposes.

Testing Before Going Live

Daraja provides a sandbox environment for testing. Use it extensively before switching to production. Test every scenario: successful payments, cancelled payments, timeouts, wrong PIN attempts, and insufficient balance. Your store should handle all of these gracefully with clear customer messaging.

Let Us Handle It

M-Pesa integration is included in every DopeDuka store build. We handle the API setup, callback configuration, error handling, and testing. Your customers get a seamless one-tap payment experience, and you get reliable, automated payment processing from day one.