Skip to main content

Documentation Index

Fetch the complete documentation index at: https://moflay.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Moflay stores Daraja credentials so it can authenticate with Safaricom on your behalf when your app creates an M-Pesa Express payment. Sensitive Daraja credential fields are encrypted before storage and scoped to your business and environment.

What Moflay protects

Moflay encrypts these Daraja credential fields when you save or update credentials:
  • Consumer key
  • Consumer secret
  • Passkey
Moflay also stores non-secret routing fields such as the business shortcode, account reference, environment, short code type, and credential status.

How credential encryption works

Moflay uses purpose-scoped encryption for Daraja secrets:
ControlBehavior
Encryption algorithmAES-256-GCM
Key derivationHKDF-SHA256 from the Moflay encryption root key
Purpose scopeDaraja credentials use a dedicated encryption purpose
Ciphertext formatVersioned encrypted payloads for newly encrypted Daraja secret fields
AES-GCM provides authenticated encryption, which means encrypted values cannot be decrypted successfully if the ciphertext or authentication tag has been changed.

Business and environment scoping

Credential records are scoped to:
  • Your Moflay business
  • The selected environment, sandbox or production
Moflay allows one M-Pesa Express credential configuration per business per environment. This keeps sandbox testing separate from production payments and prevents a live credential set from being used by a sandbox API key.

When credentials are decrypted

Moflay decrypts stored Daraja secret fields only when it needs to authenticate with Safaricom for a payment request or credential-dependent operation. Your application continues to call Moflay with an API key; it does not need to perform the Daraja token exchange directly.

Sandbox assigned credentials

In sandbox, Moflay can use assigned test credentials for fast setup. Custom sandbox credentials and production credentials are stored with the same sensitive-field encryption behavior when you save them.

What you should still do

  • Restrict dashboard access to trusted team members.
  • Use separate sandbox and production API keys.
  • Rotate credentials if you suspect exposure in Safaricom, Moflay, or your internal systems.
  • Keep live Daraja credentials out of source code, chat messages, and ticket attachments.

Important limits

Moflay encrypts sensitive credential fields before storage, but your team should still treat Daraja credentials as secrets. Do not share them outside trusted operational workflows.
Moflay maintains compatibility with existing credential records during migrations. Security documentation should describe the current encryption behavior without claiming that every historical row has always used the newest ciphertext format.