Live API Reference
HashBack & HashPay APIs
Complete REST API reference for MSISDN decoding, M-Pesa STK Push payments, Wallet B2C transfers, and transaction lookups. Every endpoint documented with request examples in cURL, JavaScript, PHP, and Python.
API Key Auth
<50ms decode
Kenya (Safaricom & Airtel)
M-Pesa STK Push
HashBack Decode API
Decode hashed MSISDNs to real phone numbers. Safaricom & Airtel supported.
STK Push
Initiate M-Pesa payments, check status, and receive webhook callbacks.
Wallet B2C
Check balances, top up via STK Push, and send money to customers.
PULL API
Look up any transaction by ID for reconciliation and reporting.
Authentication
All API requests require authentication via your API key. Pass it either as a request body field or as an HTTP header depending on the endpoint.
Generate your API key from the Settings tab in your HashBack dashboard after registration.
Header method (HashBack Decode)
HTTP Header
API_KEY: YOUR_API_KEY_HERE
Body method (HashPay endpoints)
JSON Body
{
"api_key": "YOUR_API_KEY_HERE",
"account_id": "YOUR_ACCOUNT_ID"
}
Base URL
All endpoints are served over HTTPS. Use the correct versioned path for each product.
Base URLs
# HashBack Decode https://api.hashback.co.ke/ # HashPay STK + PULL https://api.hashback.co.ke/ # Wallet B2C V2 (current) https://api.hashback.co.ke/V2/
Rate Limiting
Requests are throttled per API key to protect service stability.
| Endpoint group | Limit | Window |
|---|---|---|
| All endpoints | 100 requests | Per minute |
| HashBack Decode | 10 requests | Per 5 seconds |
When rate limited you receive HTTP
429. Use exponential backoff before retrying.
429 Response
{
"error": {
"code": 429,
"message": "Too many requests. Please try again later."
}
}
HashBack Decode API
Decode hashed phone numbers back to their real MSISDN format. Supports both Safaricom and Airtel Kenya. Typical response time is under 50 ms.
Decode MSISDN Hash
POST
https://api.hashback.co.ke/decode
Request parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| hash | String | Required | The MSISDN hash string to decode |
| API_KEY | String | Required | Your API key — passed as an HTTP header |
Code examples
bash
curl -X POST https://api.hashback.co.ke/decode \ -d 'hash=4f87c55d393937f18fbf3003512195aa8e62be340946ab547c2eada26cc43c1e' \ -H 'API_KEY: YOUR_API_KEY_HERE'
javascript
const res = await fetch('https://api.hashback.co.ke/decode', { method: 'POST', headers: { 'API_KEY': 'YOUR_API_KEY_HERE' }, body: new URLSearchParams({ hash: '4f87c55d393937f18fbf3003512195aa8e62be340946ab547c2eada26cc43c1e' }) }); const { MSISDN } = await res.json(); console.log(MSISDN); // "254712345678"
php
<?php $ch = curl_init('https://api.hashback.co.ke/decode'); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['hash' => '4f87c55d...']) ); curl_setopt($ch, CURLOPT_HTTPHEADER, ['API_KEY: YOUR_API_KEY_HERE']); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $r = json_decode(curl_exec($ch), true); curl_close($ch); echo $r['MSISDN']; // 254712345678 ?>
python
import requests r = requests.post( 'https://api.hashback.co.ke/decode', data={'hash': '4f87c55d...'}, headers={'API_KEY': 'YOUR_API_KEY_HERE'} ) print(r.json()['MSISDN']) # 254712345678
Response
200 OK
{
"ResultCode": "0",
"MSISDN": "254712345678"
}
STK Push API
Initiate M-Pesa STK Push prompts on a customer's phone, check payment status, and receive real-time webhook callbacks when payments complete.
Initiate STK Push
POST
https://api.hashback.co.ke/initiatestk
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| account_id | String | Required | Your HashPay account ID |
| amount | String | Required | Payment amount in KES (e.g. "1") |
| msisdn | String | Required | Customer phone number — format 2547XXXXXXXX |
| reference | String | Required | Unique transaction reference (URL-encoded) |
bash
curl -X POST https://api.hashback.co.ke/initiatestk \ -H 'Content-Type: application/json' \ -d '{ "api_key": "YOUR_KEY", "account_id": "ACC_ID", "amount": "1", "msisdn": "254712345678", "reference": "ORDER_001" }'
javascript
const res = await fetch('https://api.hashback.co.ke/initiatestk', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ api_key: 'YOUR_KEY', account_id: 'ACC_ID', amount: '1', msisdn: '254712345678', reference: 'ORDER_001' }) }); const { checkout_id, success } = await res.json(); // Store checkout_id to poll transaction status
php
<?php $payload = json_encode([ 'api_key' => 'YOUR_KEY', 'account_id' => 'ACC_ID', 'amount' => '1', 'msisdn' => '254712345678', 'reference' => 'ORDER_001' ]); $ch = curl_init('https://api.hashback.co.ke/initiatestk'); curl_setopt_array($ch, [ CURLOPT_POST => 1, CURLOPT_POSTFIELDS => $payload, CURLOPT_HTTPHEADER => ['Content-Type: application/json'], CURLOPT_RETURNTRANSFER => true ]); $r = json_decode(curl_exec($ch), true); $checkoutId = $r['checkout_id']; ?>
Response
200 OK
{
"success": true,
"message": "STK push initiated successfully",
"checkout_id": "ws_CO_17052025174057106701834082"
}
Check Transaction Status
POST
https://api.hashback.co.ke/transactionstatus
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| account_id | String | Required | Your HashPay account ID |
| checkoutid | String | Required | The checkout_id from STK initiation |
bash
curl -X POST https://api.hashback.co.ke/transactionstatus \ -H 'Content-Type: application/json' \ -d '{"api_key":"YOUR_KEY","account_id":"ACC_ID","checkoutid":"ws_CO_..."}'
200 OK
{
"ResponseCode": "0",
"ResponseDescription": "The service request has been accepted successfully",
"ResultCode": "0",
"ResultDesc": "The service request is processed successfully."
}
Webhook Callbacks
HashPay sends a POST request to your webhook URL when a payment transaction completes. Configure your URL in the Settings tab of your HashPay portal.
Set up your webhook URL before initiating transactions. The URL must be a public HTTPS endpoint that responds with a
2xx status.
Incoming request headers
| Header | Value | Notes |
|---|---|---|
Content-Type | application/json | Body is always JSON |
X-Hashpay-Signature | sha256=<hex-digest> | Always verify this before processing |
X-Forwarded-For | HashPay origin IP | May be set by proxy/load balancer |
X-Forwarded-Proto | https | Confirms HTTPS delivery |
Webhook payload (success)
JSON — Incoming POST to your server
{
"event": "payment.success",
"ResponseCode": 0,
"ResponseDescription": "Success. Request accepted for processing",
"MerchantRequestID": "ws_CO_12052026084940",
"CheckoutRequestID": "ws_CO_12052026084940776662",
"TransactionID": "UEC496402X",
"TransactionAmount": 1,
"TransactionReceipt": "UEC496402X",
"TransactionDate": 20260512084950,
"TransactionReference": "HPL1XBF0",
"Msisdn": 254701234567,
"AccountID": "HP56"
}
Verifying the X-Hashpay-Signature
Every webhook request includes an X-Hashpay-Signature header containing an HMAC-SHA256 digest of the raw request body, signed with your webhook secret (found in the HashPay Settings portal). Always verify this signature before trusting the payload — reject any request that fails the check with a 401 response.
Compute the HMAC over the raw, unmodified request body bytes — not a re-serialised JSON string. Any whitespace difference will cause a mismatch.
php
<?php // Retrieve raw body BEFORE reading $_POST or json_decode() $rawBody = file_get_contents('php://input'); $secret = 'YOUR_WEBHOOK_SECRET'; // from HashPay Settings $sigHeader = $_SERVER['HTTP_X_HASHPAY_SIGNATURE'] ?? ''; // Header format: "sha256=<hex>" $expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret); if (!hash_equals($expected, $sigHeader)) { http_response_code(401); exit('Invalid signature'); } // Signature valid — safe to process $payload = json_decode($rawBody, true); if ($payload['event'] === 'payment.success' && $payload['ResponseCode'] === 0) { $txid = $payload['TransactionID']; // "UEC496402X" $ref = $payload['TransactionReference']; // your order ref $msisdn = $payload['Msisdn']; // 254701234567 // fulfil the order ... } http_response_code(200); ?>
node.js
const crypto = require('crypto'); // Express example — use express.raw() to get the raw buffer app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => { const secret = 'YOUR_WEBHOOK_SECRET'; const sigHeader = req.headers['x-hashpay-signature'] ?? ''; const expected = 'sha256=' + crypto .createHmac('sha256', secret) .update(req.body) // raw Buffer .digest('hex'); const valid = crypto.timingSafeEqual( Buffer.from(expected), Buffer.from(sigHeader) ); if (!valid) return res.status(401).send('Invalid signature'); const payload = JSON.parse(req.body.toString()); if (payload.event === 'payment.success' && payload.ResponseCode === 0) { const { TransactionID, TransactionReference, Msisdn } = payload; // fulfil the order ... } res.status(200).send('OK'); });
python
import hmac, hashlib from flask import Flask, request, abort app = Flask(__name__) SECRET = b'YOUR_WEBHOOK_SECRET' @app.route('/webhook', methods=['POST']) def webhook(): raw_body = request.get_data() # raw bytes, before any parsing sig_header = request.headers.get('X-Hashpay-Signature', '') expected = 'sha256=' + hmac.new( SECRET, raw_body, hashlib.sha256 ).hexdigest() if not hmac.compare_digest(expected, sig_header): abort(401) payload = request.get_json() if payload.get('event') == 'payment.success' and payload.get('ResponseCode') == 0: tx_id = payload['TransactionID'] # "UEC496402X" ref = payload['TransactionReference'] # your order ref # fulfil the order ... return '', 200
Use constant-time comparison (
hash_equals / hmac.compare_digest / timingSafeEqual) to prevent timing-attack leaks. Never use === or == for signature comparison.
Wallet B2C API
Manage your HashPay wallet — check the balance, top up via STK Push, and send B2C withdrawals to customer phone numbers.
Check Wallet Balance
POST
https://api.hashback.co.ke/walletbalance
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| account_id | String | Required | Your HashPay wallet ID |
php
<?php $ctx = stream_context_create(['http' => [ 'method' => 'POST', 'header' => 'Content-type: application/json', 'content' => json_encode([ 'api_key' => 'KEY', 'account_id' => 'WALLET_ID' ]) ]]); $r = json_decode( file_get_contents('https://api.hashback.co.ke/walletbalance', false, $ctx), true ); echo "Balance: KES " . $r['balance']; ?>
javascript
const res = await fetch('https://api.hashback.co.ke/walletbalance', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ api_key: 'KEY', account_id: 'WALLET_ID' }) }); const { balance, status } = await res.json(); console.log(`KES ${balance} — ${status}`);
python
import requests r = requests.post( 'https://api.hashback.co.ke/walletbalance', json={'api_key': 'KEY', 'account_id': 'WALLET_ID'} ) data = r.json() print(f"KES {data['balance']} — {data['status']}")
Response
200 OK
{
"success": true,
"walletId": "WALLET_ID",
"balance": 47,
"status": "Active",
"currency": "KES"
}
Top Up Wallet via STK Push
POST
https://api.hashback.co.ke/v2/topup
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| walletid | String | Required | Your HashPay wallet ID |
| amount | String | Required | Top-up amount in KES |
| msisdn | String | Required | Nominated phone number (must match portal) |
The STK Push only succeeds when the customer pays using the nominated number registered in your HashPay portal.
javascript
const res = await fetch('https://api.hashback.co.ke/v2/topup', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ api_key: 'KEY', walletid: 'WALLET_ID', amount: '100', msisdn: '0712345678' }) });
Process Withdrawal (B2C)
POST
https://api.hashback.co.ke/V2/processwithdrawal
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| msisdn | String | Required | Phone number to receive the withdrawal |
| amount | String | Required | Withdrawal amount in KES |
| SecurityCredential | String | Required | Security credential from your HashPay portal |
python
import requests r = requests.post( 'https://api.hashback.co.ke/V2/processwithdrawal', json={ "api_key": "KEY", "msisdn": "07123456789", "amount": 20, "SecurityCredential": "CRED" } ) print(r.json())
200 OK — Success
{
"success": true,
"message": "Withdrawal processed successfully",
"details": {
"amount": 50,
"fee": 5,
"total": 55,
"balance": 92
}
}
200 — Insufficient Funds
{
"success": false,
"message": "Insufficient funds. You need KES 18.00 more"
}
PULL API
Retrieve detailed information about any transaction by ID. Use this for reconciliation, auditing, and generating receipts.
Get Transaction Details
POST
https://api.hashback.co.ke/v1/pullapi
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | String | Required | Your API key |
| account_id | String | Required | Your HashPay account ID |
| transaction_id | String | Required | The transaction ID to retrieve |
bash
curl -X POST https://api.hashback.co.ke/v1/pullapi \ -H 'Content-Type: application/json' \ -d '{ "api_key": "API_KEY", "account_id": "ACCOUNT_ID", "transaction_id": "TRANS_ID" }'
200 — Found
{
"success": true,
"data": {
"transactionId": "TRANS_ID",
"amount": 499,
"billreference": "BILL_REF",
"AccName": "ACC NAME"
}
}
404 — Not Found
{
"success": false,
"message": "Transaction not found"
}
Error Codes
All endpoints follow standard HTTP status codes. Every error response includes a message field with a human-readable description.
| Status | Name | Description | Fix |
|---|---|---|---|
| 200 | OK | Request completed successfully | No action needed |
| 400 | Bad Request | Missing or invalid parameters in the request body | Validate all required fields |
| 401 | Unauthorized | API key is missing, invalid, or expired | Check your API key in Settings |
| 429 | Too Many Requests | Rate limit exceeded for the API key | Implement exponential backoff |
| 500 | Internal Server Error | An unexpected error occurred on the server | Retry once; contact support if it persists |
Support
Get real-time help
Join the WhatsApp developer support group for API questions, integration help, and change notifications from the HashBack team.
Join WhatsApp SupportEmail: support@hashback.co.ke