CrystalPay
ProfileAppsM-Pesa Accounts

Hosted Checkout Apps

Each app gets a product slug and ingest token. Your server calls the checkout endpoint with those credentials to create a payment session.

Checkout endpoint: POST https://api.crystalpay.co.ke/integration/v1/checkout-sessions

New app

Lowercase letters, digits, hyphens, or underscores (e.g. my-billing-app). Used in API calls.

CrystalPay will relay verified events to this URL for this app.

Apps

Loading…

API Keys

HMAC-signed server-to-server keys. Used by the WHMCS module and any backend calling the CrystalPay API directly.

Loading…

How to authenticate

Include X-Api-Key, X-Timestamp, X-Nonce, and X-Signature (HMAC-SHA256) on every API request. See the WHMCS module for a reference implementation.

Platform Webhooks

Receive signed HTTP callbacks for account-level events (payouts, withdrawals). Each request carries X-CrystalPay-Signature (HMAC-SHA256) for verification.

Add endpoint

Leave all unchecked to receive every event.

Registered endpoints

Loading…