sdk.pay() or sdk.registerIpn(), the SDK authenticates with the provider using your credentials, retrieves a token, and attaches it to the request — you don’t need to manage tokens manually.
PesaPal authentication
PesaPal uses OAuth2. Before each request, the SDK callsPOST /api/Auth/RequestToken with your consumer key and secret, then attaches the returned Bearer token to the Authorization header of the subsequent API call.
Credentials required:
| Credential | Config field |
|---|---|
| Consumer key | PESAPAL_CONSUMER_KEY |
| Consumer secret | PESAPAL_CONSUMER_SECRET |
token field. Subsequent requests include:
A fresh token is fetched on every
sdk.pay() and sdk.registerIpn() call. The SDK does not cache tokens between calls.ClickPesa authentication
ClickPesa uses JWT. Before each payment request, the SDK callsPOST /third-parties/generate-token with your client ID and API key passed as request headers. The returned JWT is attached directly to the Authorization header of the payment request (without a Bearer prefix).
Credentials required:
| Credential | Config field |
|---|---|
| Client ID | CLICKPESA_CLIENT_ID |
| API key | CLICKPESA_API_KEY |
token field. Subsequent requests include:
Loading credentials safely
.env file should look like:
.env
.env to your .gitignore to keep credentials out of source control.