Software Development Tech in Kenya

M-Pesa Integration in 2026: The Complete Developer Guide

S
Samuel Kimani
February 08, 2026 2 min read

Why M-Pesa Still Dominates

With over 50 million active users in Kenya alone, M-Pesa isn't just a payment method — it's financial infrastructure. Any serious Kenyan software product needs native M-Pesa integration, not a third-party gateway that adds latency and fees.

STK Push: The Gold Standard

STK Push (Lipa Na M-Pesa Online) is the smoothest payment experience for users. Your app sends a payment request, Safaricom pushes a prompt to the user's phone, they enter their PIN, and you get a callback. No redirects, no USSD codes, no friction.The implementation involves three steps: authenticate with Daraja to get an access token, initiate the STK push with customer details, and handle the callback webhook when payment completes.

Handling Webhooks Securely

M-Pesa callbacks come from Safaricom's IP ranges (196.201.214.0/24 and 196.201.213.0/24). Always whitelist these IPs in production. Validate the callback structure, verify the CheckoutRequestID matches a pending payment, and process idempotently — callbacks can arrive more than once.We also implement a polling fallback: if no callback arrives within 30 seconds, we query the transaction status directly. This handles network issues between Safaricom and your server.

Common Pitfalls

Phone number normalization trips up most developers. M-Pesa expects 254XXXXXXXXX format — not +254, not 07XX. Token caching is essential too; don't request a new access token for every transaction. Cache it for 3500 seconds (just under the 3600-second expiry).

Related posts

Feb 12, 2026

How We Use Claude to Build Entire Codebases Autonomously
Jan 30, 2026

Building for Kenya: UX Lessons from 50K+ Users
Jan 25, 2026

Laravel 12: What Changed and Why It Matters

Need software built?

Tell us what you need. We respond within 24 hours with a realistic quote.

Start Your Project Chat on WhatsApp