DEV Community

Sospeter Mong'are
Sospeter Mong'are

Posted on

Safaricom Daraja API: Authorization API Guide for Access Tokens

Safaricom’s Daraja API enables developers to integrate with M-Pesa and create seamless payment solutions. To securely access these APIs, you first need to obtain an access token using a dedicated authorization endpoint. This access token is valid for 3600 seconds (1 hour) and must be renewed when it expires. This guide will walk you through the steps for generating an access token, including details for testing on Postman.

Mpesa Daraja APIs

Overview: Authentication API

The Authorization API provides a time-bound access token required for calling other Daraja APIs. This is a foundational step, as all other API calls require this token for authentication.

Endpoint Summary

  • Method: GET
  • URL: https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
  • Grant Type: client_credentials

Prerequisites

To use this endpoint, you’ll need:

  1. Consumer Key
  2. Consumer Secret

These credentials are generated when you register your application on the Daraja portal under My Apps.


Step-by-Step Guide to Generating an Access Token

Step 1: Set Up the Request in Postman

1. Open Postman and Create a New Request

  • Choose the GET method.
  • Enter the endpoint URL:

     https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
    

2. Set Up Authorization in Postman

  • Go to the Authorization tab in Postman.
  • Select Basic Auth as the type.
  • Enter your Consumer Key in the Username field.
  • Enter your Consumer Secret in the Password field.
  • Postman will automatically generate the necessary authorization header.

Step 2: Request Headers

You don’t need to add any headers manually because the Basic Auth will populate the Authorization header automatically, containing the Base64-encoded Consumer Key and Consumer Secret.

Step 3: Send the Request

Click Send in Postman to make the request. If successful, you’ll receive a response with your access token and its expiry time.


Request Example

Below is an example of the request you’ll be sending to obtain the access token:

  • Method: GET
  • URL: https://sandbox.safaricom.co.ke/oauth/v1/generate?grant_type=client_credentials
  • Authorization Type: Basic Auth

Request Body

There’s no additional body content required for this GET request.

Headers

Header Value
Authorization Basic <Base64-encoded Consumer Key:Consumer Secret>

Query Parameters

Parameter Description Type Value
grant_type Specifies the grant type, which is supported as client_credentials Query client_credentials

Example Response

A successful request returns a JSON object containing the access token and its expiry time in seconds:

{
   "access_token": "c9SQxWWhmdVRlyh0zh8gZDTkubVF",
   "expires_in": "3599"
}
Enter fullscreen mode Exit fullscreen mode
  • access_token: The token used to authenticate other API requests.
  • expires_in: Token’s validity in seconds, usually 3600.

Using the Access Token in Other API Requests

Once you have the access_token, you can call other Safaricom APIs by including the token in your request headers as follows:

  1. In Postman, go to the Headers tab.
  2. Set up the Authorization header:
    • Key: Authorization
    • Value: Bearer YOUR_ACCESS_TOKEN (replace YOUR_ACCESS_TOKEN with the actual token from the response).

For example:

Authorization: Bearer c9SQxWWhmdVRlyh0zh8gZDTkubVF
Enter fullscreen mode Exit fullscreen mode

Notes

  1. Token Expiry: Remember, the token is only valid for 1 hour, so you’ll need to generate a new one after this time to continue making API requests.
  2. Security: Keep your Consumer Key and Consumer Secret secure. Do not share or expose these keys.
  3. Sandbox Testing: Always test your setup in the Sandbox environment. When you’re ready to go live, switch to the Production URL.

Conclusion

With the access token, you’re ready to explore other Daraja APIs to manage M-Pesa payments, check transaction statuses, and more. Following these steps, you’ll establish secure, authenticated interactions with the M-Pesa services.

Happy Coding with M-Pesa Daraja API!

Top comments (2)

Collapse
 
ngonyoku profile image
NGONYOKU

Awesome1 Can you make a post on how to push to production

Collapse
 
msnmongare profile image
Sospeter Mong'are

This is well noted, I will do that