Safaricom’s Daraja API enables developers to integrate with M-Pesa and create seamless payment solutions. To securely access these APIs, you first need to obtain an access token using a dedicated authorization endpoint. This access token is valid for 3600 seconds (1 hour) and must be renewed when it expires. This guide will walk you through the steps for generating an access token, including details for testing on Postman.
Overview: Authentication API
The Authorization API provides a time-bound access token required for calling other Daraja APIs. This is a foundational step, as all other API calls require this token for authentication.
Endpoint Summary
-
Method:
GET
-
URL:
https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
-
Grant Type:
client_credentials
Prerequisites
To use this endpoint, you’ll need:
- Consumer Key
- Consumer Secret
These credentials are generated when you register your application on the Daraja portal under My Apps.
Step-by-Step Guide to Generating an Access Token
Step 1: Set Up the Request in Postman
1. Open Postman and Create a New Request
- Choose the GET method.
-
Enter the endpoint URL:
https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
2. Set Up Authorization in Postman
- Go to the Authorization tab in Postman.
- Select Basic Auth as the type.
- Enter your Consumer Key in the Username field.
- Enter your Consumer Secret in the Password field.
- Postman will automatically generate the necessary authorization header.
Step 2: Request Headers
You don’t need to add any headers manually because the Basic Auth will populate the Authorization
header automatically, containing the Base64-encoded Consumer Key
and Consumer Secret
.
Step 3: Send the Request
Click Send in Postman to make the request. If successful, you’ll receive a response with your access token and its expiry time.
Request Example
Below is an example of the request you’ll be sending to obtain the access token:
-
Method:
GET
-
URL:
https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
- Authorization Type: Basic Auth
Request Body
There’s no additional body content required for this GET request.
Headers
Header | Value |
---|---|
Authorization | Basic <Base64-encoded Consumer Key:Consumer Secret>
|
Query Parameters
Parameter | Description | Type | Value |
---|---|---|---|
grant_type | Specifies the grant type, which is supported as client_credentials
|
Query | client_credentials |
Example Response
A successful request returns a JSON object containing the access token and its expiry time in seconds:
{
"access_token": "c9SQxWWhmdVRlyh0zh8gZDTkubVF",
"expires_in": "3599"
}
- access_token: The token used to authenticate other API requests.
-
expires_in: Token’s validity in seconds, usually
3600
.
Using the Access Token in Other API Requests
Once you have the access_token
, you can call other Safaricom APIs by including the token in your request headers as follows:
- In Postman, go to the Headers tab.
- Set up the Authorization header:
-
Key:
Authorization
-
Value:
Bearer YOUR_ACCESS_TOKEN
(replaceYOUR_ACCESS_TOKEN
with the actual token from the response).
-
Key:
For example:
Authorization: Bearer c9SQxWWhmdVRlyh0zh8gZDTkubVF
Notes
- Token Expiry: Remember, the token is only valid for 1 hour, so you’ll need to generate a new one after this time to continue making API requests.
- Security: Keep your Consumer Key and Consumer Secret secure. Do not share or expose these keys.
- Sandbox Testing: Always test your setup in the Sandbox environment. When you’re ready to go live, switch to the Production URL.
Conclusion
With the access token, you’re ready to explore other Daraja APIs to manage M-Pesa payments, check transaction statuses, and more. Following these steps, you’ll establish secure, authenticated interactions with the M-Pesa services.
Happy Coding with M-Pesa Daraja API!
Top comments (2)
Awesome1 Can you make a post on how to push to production
This is well noted, I will do that