System Status: OperationalCreate Free Account
Documentation v1.0

CORE INFRA
MANUAL.

Welcome to the HirallPay Core Infrastructure documentation. This guide details how to integrate high-performance payment rails into your African enterprise stack.

Quick Start

To begin orchestrating payments, first initialize the HirallPay client with your secure merchant credentials.

npm install
npm i @hirallpay/sdk

Configure your environment with the standard HirallPay variables extracted from your dashboard settings.

.env
HirallPay_API_KEY=sk_test_51Mz...
HirallPay_WEBHOOK_SECRET=whsec_...

Project Structure

The HirallPay ecosystem is split into two primary components to separate core infrastructure from user-facing interfaces.

flux (Web App)

The Next.js powered dashboard and merchant portal.

hirallpay-sdk

Universal SDK supporting TypeScript, Python, and Dart.

Environment Setup

Ensure your environment is properly configured with these core variables to enable secure API communication.

VariableDescription
HIRALL_PAY_API_KEYYour merchant secret key used for server-side auth.
HIRALL_PAY_WEBHOOK_SECRETSecret key used to verify webhook signatures.

The Money Flow

When a developer adds their Daraja credentials, they're giving HirallPay their Shortcode — which is their own Paybill or Till number registered with Safaricom. That shortcode is what tells M-Pesa whose account to deposit the money into.

Key Insight

The STK Push request tells Safaricom: "Prompt this customer to pay... to THIS shortcode".

  • If the shortcode is the developer's → money goes to developer
  • If the shortcode is yours → money goes to you

Since HirallPay uses the developer's own shortcode when calling Daraja, Safaricom deposits directly into the developer's M-Pesa Paybill. HirallPay is just the messenger — it never appears in the money flow at all.

The Full Flow in Detail

  1. Developer adds their credentials to HirallPay:
    • Consumer Key & Secret: Used to get OAuth token from Daraja
    • Passkey: Used to generate STK push password
    • Shortcode: THIS is where money lands (developer's Paybill)
  2. Customer pays via developer's app.
  3. HirallPay builds the STK Push request using developer's OWN credentials.
  4. Safaricom receives the request, sees the shortcode, prompts the customer, and deposits money into the developer's account.
  5. HirallPay never appears in this transaction at all.

So the credentials are the proof of ownership. Only the real owner of a Paybill has the matching Consumer Key, Secret, and Passkey from Daraja. When HirallPay uses those credentials, Safaricom treats it exactly as if the developer's own server made the call.

Authentication

HirallPay uses deterministic bearer tokens for all API interactions. All requests must be performed over SSL with a strictly formatted Authorization header.

cURL Request
curl -X POST https://api.hirallpay.dev/v1/payments/initiate \
  -H "x-api-key: sk_test_..." \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "DARAJA",
    "amount": 1000,
    "currency": "KES",
    "customer": { "phone": "254712345678" }
  }'

STK Push (M-Pesa)

The STK Push (Sim Tool Kit) allows you to trigger a payment request directly on the user's mobile device. This is the gold standard for frictionless mobile money in Kenya.

Initiate STK Push
import { HirallPayClient } from '@hirallpay/sdk';

const client = new HirallPayClient({ 
  apiKey: process.env.HIRALL_PAY_API_KEY 
});

const result = await client.payments.initiate({
  provider: 'DARAJA',
  amount: 1000,
  currency: 'KES',
  customer: {
    phone: '254712345678'
  },
  description: 'Service Payment'
});

Node.js SDK

The official HirallPay Node.js SDK provides a type-safe wrapper around our core APIs, designed for high-concurrency environments.

Installation
npm install @hirallpay/sdk

React/Next.js Integration

Use our pre-built components for a seamless checkout experience within any React framework.

React components documentation is currently in progress.

Handling Webhooks

HirallPay relies on asynchronous webhooks to communicate transaction finality. Ensure your endpoint returns a 200 OK status within 200ms to avoid re-delivery.

Important

All webhook payloads are signed with an HMAC SHA256 header. Always verify the signature before processing sensitive transaction updates.

Troubleshooting Guide

Use this guide to resolve common integration roadblocks and environment configuration issues.

1. SDK Installation Failures

If you encounter a 404 when installing `@hirallpay/sdk`, verify the package name in the registry.

🛠
Check Registry Scopes: Verify if the scope is private. Ensure your `.npmrc` is configured with the correct token.
🛠
Use Search: Run npm search hirallpay to find the latest published versions.

2. DNS & Connectivity

Errors like getaddrinfo ENOENT usually indicate DNS resolution issues.

🛠
Validate Endpoints: Ensure you are hitting api.hirallpay.dev for development.
🛠
Network Isolation: Run a quick ping google.com to verify outbound internet access.

Standard Debugging SOP

Step 01

Check service status at status.hirallpay.com.

Step 02

Capture full request payloads for review.

Step 03

Verify webhook signatures with HMAC SHA256.

Step 04

Ensure TLS 1.2+ for all API interactions.