🚨 Active Supply Chain Attack:node-ipc Package Compromised.Learn More →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

mpesa-api

Package Overview
Dependencies
Maintainers
1
Versions
14
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

mpesa-api

An NPM Module built with NodeJs to help you with M-Pesa Daraja API calls.

latest
Source
npmnpm
Version
3.0.2
Version published
Weekly downloads
219
-2.67%
Maintainers
1
Weekly downloads
 
Created
Source

Mpesa-Api

:zap: :bomb: :fire: :fire: :bomb: :zap:

An NPM Module built with NodeJs to help you with M-Pesa Daraja API calls.

Please note that this module is intended for use in a node environment on the backend and will raise a few issues if used on the client side/browser environment. This is mainly due to the file system.

Looking for contributors who can help write tests.

Badge
TravisBuild Status
LatestLatest
MinifiedMinified Size
MinZipMin

Ready Methods

Prerequisites

  • Node 6+.
  • NPM(comes with Node) or Yarn.

Installation

Mpesa-Api uses Node Package Manager

npm i mpesa-api

Or Yarn

yarn add mpesa-api

Requisites

You Will need a few things from Safaricom before development.

  • Login or Register as a Safaricom developer here if you haven't.
  • Add a new App here
  • You will be issued with a Consumer Key and Consumer Secret. You will use these to initiate an Mpesa Instance.
  • Obtain Test Credentials here.
    • The Test Credentials Obtained Are only valid in Sandbox/Development environment. Take note of them.
    • To run in Production Environment you will need real Credentials.
      • To go Live and be issued with real credentials,please refer to this guide

Getting Started

// import package
import { Mpesa } from "mpesa-api";
//OR
const Mpesa = require("mpesa-api").Mpesa;

// create a new instance of the api
const mpesa = new Mpesa(credentials, environment);

A moment to explain the above. credentials should be an object containing key,secret,initiator password, security credential and certificate path as the properties/keys.

//example
const credentials = {
    clientKey: 'YOUR_CONSUMER_KEY_HERE',
    clientSecret: 'YOUR_CONSUMER_SECRET_HERE',
    initiatorPassword: 'YOUR_INITIATOR_PASSWORD_HERE',
    securityCredential: 'YOUR_SECURITY_CREDENTIAL',
    certificatePath: 'keys/example.cert'
};
// For the initiator_password, use the security credential from the test credentials page.link :https://developer.safaricom.co.ke/test_credentials

// security credential is optional. Set this if you're getting Initiator Name is invalid errors. You can generate your security credential on the test credentials page for sandbox environment or from your mpesa web portal for production environment.

// certificate path is otional. I've provided ceritificates for sandbox and production by default. If you choose not to include it Pass it as null. If you have passed `securityCredential` you should pass `certificatePath` as `null`
const credentials = {
    ...,
    certificatePath: null
};

You can get initiator password from Your Portal(production) or from test credentials(Sandbox). It will be the Security Credential (Shortcode 1). You can generate your security credential on the test credentials page for sandbox environment or from your mpesa web portal for production environment. See this guide for production environment(last step on the go live guide).

Environment should be a string. It can be either 'production' or 'sandbox'

const environment = "sandbox";
//or
const environment = "production";

Methods and Api Calls

Business to Business

This Has Been Disabled as of January 2019 and I have therefore removed it for now.

This API enables Business to Business (B2B) transactions between a business and another business. Use of this API requires a valid and verified B2B M-Pesa short code for the business initiating the transaction and the both businesses involved in the transaction.

mpesa
  .b2b({
    InitiatorName: "Initiator Name",
    Amount: 1000 /* 1000 is an example amount */,
    PartyA: "Party A",
    PartyB: "Party B",
    AccountReference: "Account Reference",
    QueueTimeOutURL: "Queue Timeout URL",
    ResultURL: "Result URL",
    CommandID: "Command ID" /* OPTIONAL */,
    SenderIdentifierType: 4 /* OPTIONAL */,
    RecieverIdentifierType: 4 /* OPTIONAL */,
    Remarks: "Remarks" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • Initiator - This is the credential/username used to authenticate the transaction request.
  • CommandID - Unique command for each transaction type, default is MerchantToMerchantTransfer possible values are: BusinessPayBill, MerchantToMerchantTransfer, MerchantTransferFromMerchantToWorking, MerchantServicesMMFAccountTransfer, AgencyFloatAdvance
  • Amount - The amount being transacted.
  • PartyA - Organization’s short code initiating the transaction.
  • SenderIdentifier - Type of organization sending the transaction. Deault is 4
  • PartyB - Organization’s short code receiving the funds being transacted.
  • RecieverIdentifierType - Type of organization receiving the funds being transacted. Default is 4
  • Remarks - Comments that are sent along with the transaction.
  • QueueTimeOutURL - The path that stores information of time out transactions.it should be properly validated to make sure that it contains the port, URI and domain name or publicly available IP.
  • ResultURL - The path that receives results from M-Pesa it should be properly validated to make sure that it contains the port, URI and domain name or publicly available IP.
  • AccountReference - Account Reference mandatory for “BusinessPaybill” CommandID.

Business to Customer (B2C)

This API enables Business to Customer (B2C) transactions between a company and customers who are the end-users of its products or services. Use of this API requires a valid and verified B2C M-Pesa Short code.

mpesa
  .b2c({
    Initiator: "Initiator Name",
    Amount: 1000 /* 1000 is an example amount */,
    PartyA: "Party A",
    PartyB: "Party B",
    QueueTimeOutURL: "Queue Timeout URL",
    ResultURL: "Result URL",
    CommandID: "Command ID" /* OPTIONAL */,
    Occasion: "Occasion" /* OPTIONAL */,
    Remarks: "Remarks" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • Initiator - This is the credential/username used to authenticate the transaction request.
  • CommandID - Unique command for each transaction type e.g. SalaryPayment, BusinessPayment, PromotionPayment
  • Amount - The amount being transacted
  • PartyA - Organization’s shortcode initiating the transaction.
  • PartyB - Phone number receiving the transaction
  • Remarks - Comments that are sent along with the transaction.
  • QueueTimeOutURL - The timeout end-point that receives a timeout response.
  • ResultURL - The end-point that receives the response of the transaction
  • Occasion - Optional

C2B

This API enables Paybill and Buy Goods merchants to integrate to M-Pesa and receive real time payments notifications.

Register

The C2B Register URL API registers the 3rd party’s confirmation and validation URLs to M-Pesa ; which then maps these URLs to the 3rd party shortcode. Whenever M-Pesa receives a transaction on the shortcode, M-Pesa triggers a validation request against the validation URL and the 3rd party system responds to M-Pesa with a validation response (either a success or an error code). The response expected is the success code the 3rd party

M-Pesa completes or cancels the transaction depending on the validation response it receives from the 3rd party system. A confirmation request of the transaction is then sent by M-Pesa through the confirmation URL back to the 3rd party which then should respond with a success acknowledging the confirmation.

mpesa
  .c2bregister({
    ShortCode: "Short Code",
    ConfirmationURL: "Confirmation URL",
    ValidationURL: "Validation URL",
    ResponseType: "Response Type",
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • ShortCode - The short code of the organization.
  • ResponseType - Default response type for timeout.
  • ConfirmationURL- Confirmation URL for the client.
  • ValidationURL - Validation URL for the client.
Simulate
mpesa
  .c2bsimulate({
    ShortCode: 123456,
    Amount: 1000 /* 1000 is an example amount */,
    Msisdn: 254792123456,
    CommandID: "Command ID" /* OPTIONAL */,
    BillRefNumber: "Bill Reference Number" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • ShortCode - 6 digit M-Pesa Till Number or PayBill Number
  • CommandID - Unique command for each transaction type. Default is CustomerPayBillOnline
  • Amount - The amount been transacted.
  • MSISDN - MSISDN (phone number) sending the transaction, start with country code without the plus(+) sign.
  • BillRefNumber - Bill Reference Number (Optional).

Account Balance

The Account Balance API requests for the account balance of a shortcode.

mpesa
  .accountBalance({
    Initiator: "Initiator Name",
    PartyA: "Party A",
    IdentifierType: "Identifier Type",
    QueueTimeOutURL: "Queue Timeout URL",
    ResultURL: "Result URL",
    CommandID: "Command ID" /* OPTIONAL */,
    Remarks: "Remarks" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • Initiator - This is the credential/username used to authenticate the transaction request.
  • CommandID - A unique command passed to the M-Pesa system. Default is AccountBalance
  • PartyB - The shortcode of the organisation receiving the transaction.
  • ReceiverIdentifierType - Type of the organisation receiving the transaction.
  • Remarks - Comments that are sent along with the transaction.
  • QueueTimeOutURL - The timeout end-point that receives a timeout message.
  • ResultURL - The end-point that receives a successful transaction.

Transaction Status

Transaction Status API checks the status of a B2B, B2C and C2B APIs transactions.

mpesa
  .transactionStatus({
    Initiator: "Initiator",
    TransactionID: "Transaction ID",
    PartyA: "Party A",
    IdentifierType: "Identifier Type",
    ResultURL: "Result URL",
    QueueTimeOutURL: "Queue Timeout URL",
    CommandID: "Command ID" /* OPTIONAL */,
    Remarks: "Remarks" /* OPTIONAL */,
    Occasion: "Occasion" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • Initiator - The name of Initiator to initiating the request.
  • CommandID - Unique command for each transaction type, possible values are: TransactionStatusQuery.
  • TransactionID - Organization Receiving the funds.
  • Party A - Organization /MSISDN sending the transaction.
  • IdentifierType - Type of organization receiving the transaction.
  • ResultURL - The path that stores information of transaction.
  • QueueTimeOutURL - The path that stores information of time out transaction.
  • Remarks - Comments that are sent along with the transaction.
  • Occasion - Optional.

Lipa na mpesa online

Lipa na M-Pesa Online Payment API is used to initiate a M-Pesa transaction on behalf of a customer using STK Push. This is the same technique mySafaricom App uses whenever the app is used to make payments.

mpesa
  .lipaNaMpesaOnline({
    BusinessShortCode: 123456,
    Amount: 1000 /* 1000 is an example amount */,
    PartyA: "Party A",
    PhoneNumber: "Phone Number",
    CallBackURL: "CallBack URL",
    AccountReference: "Account Reference",
    passKey: "Lipa Na Mpesa Pass Key",
    TransactionType: "Transaction Type" /* OPTIONAL */,
    TransactionDesc: "Transaction Description" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • BusinessShortCode - The organization shortcode used to receive the transaction.
  • Amount - The amount to be transacted.
  • PartyA - The MSISDN sending the funds.
  • PartyB - The organization shortcode receiving the funds. Default is the BusinessShorCode.
  • PhoneNumber - The MSISDN sending the funds.
  • CallBackURL - The url to where responses from M-Pesa will be sent to.
  • AccountReference - Used with M-Pesa PayBills.
  • TransactionDesc - A description of the transaction.
  • passKey - Lipa Na Mpesa Pass Key.
  • Transaction Type - Default is CustomerPayBillOnline

Lipa na mpesa online query

mpesa
  .lipaNaMpesaQuery({
    BusinessShortCode: 123456,
    CheckoutRequestID: "Checkout Request ID",
    passKey: "Lipa Na Mpesa Pass Key",
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • BusinessShortCode - Business Short Code
  • CheckoutRequestID - Checkout RequestID
  • Lipa Na Mpesa Pass Key

Reversal

Reverses a B2B, B2C or C2B M-Pesa transaction.

mpesa
  .reversal({
    Initiator: "Initiator",
    TransactionID: "Transaction ID",
    Amount: 1000 /* 1000 is an example amount */,
    ReceiverParty: "Reciever Party",
    ResultURL: "Result URL",
    QueueTimeOutURL: "Queue Timeout URL",
    CommandID: "Command ID" /* OPTIONAL */,
    RecieverIdentifierType: 11 /* OPTIONAL */,
    Remarks: "Remarks" /* OPTIONAL */,
    Occasion: "Ocassion" /* OPTIONAL */,
  })
  .then((response) => {
    //Do something with the response
    //eg
    console.log(response);
  })
  .catch((error) => {
    //Do something with the error;
    //eg
    console.error(error);
  });
  • Initiator - This is the credential/username used to authenticate the transaction request.
  • TransactionID - Organization Receiving the funds.
  • Amount - The Amount To Be Reversed
  • PartyA - Organization/MSISDN sending the transaction.
  • RecieverIdentifierType - Type of organization receiving the transaction. Default is 11
  • ResultURL - The path that stores information of transaction.
  • QueueTimeOutURL - The path that stores information of time out transaction.
  • Remarks - Comments that are sent along with the transaction.
  • Occasion - Optional.
  • Command ID - Default is TransactionReversal

IP Whitelisting

You might need to whitelist Mpesa IPs listed below on the server/firewall that receives the callbacks.

View List
  • 196.201.214.200
  • 196.201.214.206
  • 196.201.213.114
  • 196.201.214.207
  • 196.201.214.208
  • 196.201.213.44
  • 196.201.212.127
  • 196.201.212.128
  • 196.201.212.129
  • 196.201.212.132
  • 196.201.212.136
  • 196.201.212.138

Demo

You can try it out on Runkit

RoadMap

  • Basic Documentation
  • Deploy to Npm
  • Migrate to Typescript
  • Detailed Documentation
  • Write Tests
  • Validators for inputs
  • Tree shaking
  • Migrate from Typescript to JSDoc

Build

If you Wish to build

  • Clone this repo
  • CD into repo
  • run npm install to install dependencies
  • run npm run build to build
  • run npm run start:dev to run package in development mode

Contributing

  • Fork the project then clone the forked project
  • Create your feature branch: git checkout -b my-new-feature
  • Make your changes and add name to Contributors list below.
  • Commit your changes: git commit -m 'Add some feature'
  • Push to the branch: git push origin my-new-feature
  • Submit a pull request.

Credits

NameRole
Newton MuneneContributor
Nelson BwogoraContributor

License

MIT License

Copyright (c) 2018 Newton Munene

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Keywords

mpesa
nodejs
node
mobile money
money

FAQs

Package last updated on 31 Jan 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Popular node-ipc npm Package Infected with Credential Stealer

Security News

/

Research

Popular node-ipc npm Package Infected with Credential Stealer

Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.

By Socket Research Team  -  May 14, 2026