Direct API: Mobile Money
Direct API: Mobile Money
End-to-end Direct API integration for mobile money payments
Direct API: Mobile Money
End-to-end Direct API integration for mobile money payments
This guide walks through a complete mobile money payment using CrissCross’s Direct API. It assumes you’ve decided not to use Hosted Checkout or our SDK, and want to drive the flow yourself.
For the conceptual overview, supported operators, and sandbox test numbers, see Mobile Money. This page is the request/response reference.
merchantId and API credentials. See Authentication for how to obtain a bearer token.All requests in this guide go to https://api.crisscross.money/v1.
A mobile money payment touches five endpoints. Steps 2 and 5 are optional but recommended:
POST /v1/checkout/session — Create a session for the payment. → returns sessionId.GET /v1/payment/available-methods?sessionId=... — Check which operators are available for this payer. Useful for rendering the operator selector.POST /v1/payment — Initiate the transaction. → returns transactionId, transaction enters pending.GET /v1/payment/{transactionId} — Wait for the customer to approve on their handset. The terminal state arrives by webhook; poll if you need an interactive UI.POST /v1/payment/refunds — Refund the payment later. See Refunds.POST /v1/payment/authorize is not part of the mobile money flow. It exists for card 3-D Secure challenges and similar redirect-based flows. Don’t call it for mobile money.
Keep the sessionId. You’ll use it for the next two calls. A session can only have one active transaction at a time — POST /v1/payment will return 409 Conflict if you try to initiate a second one against the same session.
If you want to render an operator picker driven by what’s actually configured for the payer’s country, ask the API:
A few things to note:
type field is always "mobilemoney" — there is no "mtn-momo" or "mobile-money" variant. Operator selection happens inside paymentDetails.provider on the payment request.options list under provider is country-filtered based on payerDetails.location from the session. For Kenya you’ll only see M-Pesa; for Côte d’Ivoire you’ll see MTN, Orange, Moov, and Wave.You can skip this call entirely if you already know which operator the customer is using.
At this point CrissCross has sent the request to the operator, which has dispatched the push / USSD prompt to the customer’s handset. The customer now has to approve.
Tell your customer what’s happening. A mobile money pending screen should say something like “Check your phone — we’ve sent an MTN prompt to +254 ••• •••• 567. Enter your MoMo PIN to approve.” If you skip this, customers often think the page is broken and abandon.
You have two options, and most integrations use both. Webhooks are the source of truth; polling is for keeping your customer-facing UI responsive while you wait.
Subscribe to these event types on your webhook endpoint:
Example completed payload:
Match incoming events to the transaction using payload.transactionId (preferred) or payload.merchantReference. Verify the webhook signature on every delivery — see Webhooks → Securing webhooks.
If you need to update the customer-facing screen as soon as approval happens (rather than waiting for the webhook to land on your server and round-trip back), poll:
Response while the customer is approving:
Response after the customer approves:
Recommended polling cadence: every 2 seconds for the first 30 seconds, then back off to every 5 – 10 seconds. Stop polling once status is no longer pending, or after ~3 minutes total — at that point trust the webhook. Customers usually approve within 10 – 30 seconds.
Always reconcile against the webhook. The handset prompt can be approved or rejected after your polling timeout, and providers occasionally back-date the confirmation. The transaction’s final state is whatever the most recent webhook for that transactionId says.
If the customer rejects, times out, or has insufficient funds, the transaction ends in status: FAILED with authState.type: "auth_failure" and a specific code:
Common codes you’ll see for mobile money:
An auth failure is terminal for the transaction. To retry, create a new transaction on the same sessionId (or a fresh session if it has expired).
authState.type: "error" is distinct from auth_failure — it means CrissCross or the operator hit a system error, not that the payment was declined. The response carries hints about how to recover:
canRetry: true — Re-initiate the transaction. If your account has a fallback processor configured for the same operator, CrissCross will route the retry there.canPoll: true — The error came from a polling attempt; keep polling, the transaction may still complete.sessionId can only have one active transaction at a time. Repeated POST /v1/payment calls with the same sessionId return 409 Conflict while the first transaction is still live, which is the intended way to prevent duplicate charges if your client retries.merchantReference on the session — this gives you a stable identifier for reconciliation via GET /v1/payment/search?merchantReference=....eventId in your handler. See Webhooks → Best practices.Sandbox responses are driven by the last digits of payerMobileNumber. The full table of test numbers is on the Mobile Money page — short version:
0970000005 – 0970000010, 0970000014 → specific auth failure codes.0970000012, 0970000013 → system errors.0970000015 – 0970000017 → transient errors for exercising retry logic.Use a real payerDetails.location for the country code you’re testing — the number is normalised against it, so 0970000005 with "location": "KEN" and 0970000005 with "location": "NGA" produce the same failure but on different normalised numbers.
For the full schemas of every request and response, see the Payments API reference.