M-Pesa STK Push for Business: How to Request Payments Directly

What Is M-Pesa STK Push?

STK Push, officially called Lipa Na M-Pesa Online, is an M-Pesa feature that allows a business to initiate a payment request directly to a customer's phone. Instead of the customer navigating to the M-Pesa menu, selecting Paybill, and manually entering your business number and amount, your system sends a pop-up prompt to their phone asking them to confirm the payment with their PIN.

This reversal of the payment flow solves many of the friction points in traditional M-Pesa payments. The customer does not need to remember your Paybill number, type an account reference, or manually enter the correct amount. All of this is handled by your system, and the customer's only action is entering their M-Pesa PIN.

How STK Push Differs from Traditional M-Pesa Payments

Key Benefits for Your Business

STK Push delivers measurable improvements across several areas of your payment operations. The most significant benefit is the reduction in payment errors. Because your system controls the Paybill number, amount, and account reference, there is virtually no chance of a customer sending money to the wrong number or using an incorrect reference.

• Higher conversion rates: Fewer steps mean fewer abandoned payments, especially in e-commerce checkout flows.
• Near-perfect reconciliation: Every STK Push transaction includes your system-generated reference, making automatic matching reliable.
• Faster checkout: Customers complete payment in seconds rather than minutes.
• Reduced support tickets: No more calls about wrong Paybill numbers or missing payments.
• Real-time confirmation: Your system receives a callback the moment the payment succeeds or fails.
• Better user experience: Customers appreciate the convenience, which builds loyalty and repeat purchases.

How STK Push Works Technically

The STK Push flow involves three parties: your application, the Safaricom Daraja API, and the customer's phone. Your application sends a payment request to the Daraja API with the customer's phone number, the amount, and a reference. Safaricom then pushes a USSD prompt to the customer's phone.

1. 1Your server authenticates with the Daraja API using OAuth 2.0 to obtain an access token.
2. 2Your server sends a Lipa Na M-Pesa Online request with the customer's phone number, amount, callback URL, and account reference.
3. 3Safaricom validates the request and pushes a payment prompt to the customer's SIM toolkit.
4. 4The customer sees a pop-up on their phone showing your business name, the amount, and the account reference.
5. 5The customer enters their M-Pesa PIN to authorize the payment.
6. 6Safaricom processes the transaction and sends a callback to your server with the result (success or failure).
7. 7Your application updates the order or invoice status based on the callback response.

Common Use Cases for STK Push

STK Push is versatile enough to work across virtually any business model that accepts M-Pesa payments. Its ability to be triggered programmatically makes it especially valuable in digital and automated environments.

• E-commerce checkout: Trigger payment when the customer clicks 'Pay with M-Pesa' on your website or app.
• Invoice payments: Send an STK Push when a customer clicks a payment link in an emailed or WhatsApp invoice.
• Subscription billing: Automatically request payment when a subscription is due for renewal.
• Event ticketing: Process ticket purchases instantly at the point of selection.
• Delivery payments: Request payment upon delivery confirmation for cash-on-delivery orders.
• Utility top-ups: Allow customers to pay for airtime, electricity, or water with a single tap.

Handling Edge Cases and Failures

Not every STK Push request results in a successful payment. Your system needs to handle several failure scenarios gracefully to maintain a good customer experience and accurate records.

The most common failure is a timeout, where the customer does not respond to the prompt within 60 seconds. Other failures include insufficient funds, wrong PIN entry (customers get three attempts), and network issues where the prompt does not reach the phone. In all cases, your callback URL will receive a response indicating the failure reason.

• Implement retry logic with a reasonable cooldown period (at least 30 seconds between retries).
• Display clear error messages to the customer explaining what happened and what to do next.
• Log all failed transactions for analysis -- recurring failures from the same customers may indicate a UX problem.
• Provide a fallback payment method (manual Paybill) for cases where STK Push consistently fails.
• Never assume a payment succeeded without receiving a confirmed callback from Safaricom.

Security Considerations

STK Push is inherently secure because it requires the customer's M-Pesa PIN for every transaction. However, your implementation must also follow security best practices to protect your callback endpoints and customer data.

Always use HTTPS for your callback URLs and validate that incoming callbacks actually originate from Safaricom's servers. Store your Daraja API credentials securely using environment variables, never in your source code. Implement rate limiting on your STK Push endpoint to prevent abuse, and log all transactions for audit purposes.

Get Started with STK Push Through Vendly

Setting up STK Push does not have to mean building everything from scratch. Vendly provides built-in M-Pesa STK Push functionality that works out of the box. Generate payment links, send invoice reminders with one-tap payment, and let your customers pay in seconds -- all without writing a single line of integration code.