Callback
Setting up a callback URL
Transfer and RequestToPay APIs are Asynchronous in MTN MoMo API Platform
When a merchant system sends a POST of either /transfer, or /requesttopay APIs, the Gateway validates the request and then responds with '202 Accepted'
The transaction is then queued for processing.
Once processed, a callback with the final result of the transaction is sent to the merchant system
In order to receive the callback for your transactions, please consider the following:
a) On Sandbox
Register your callback host by specifying the domain as providerCallbackHost when creating your API Keys. On production this will be done via the Account Portal
Specify the callback URL in each of your /requesttopay or /tranfer POST
Use http and not https on sandbox
Allow PUT & POST on your callback listener host
a) On Production
After Go-live you will be provided a link to log on to your Accounts Portal
You will be required to register you callback host on the portal when creating your API keys as shown below
Only https is allowed on production
Allow PUT & POST on your callback listener host
.png)
Please note that the Wallet Platform sends the callback only once. There is no retry mechanism if the partner system does not respond. To ensure reliability, we strongly recommend that partner systems implement a fallback mechanism by polling the transaction status using the appropriate GET method.
Let's take the Deposit API (Deposit-V1) under the Disbursement product set as an example:
1. The transaction request is sent as described in the documentation: https://momodeveloper.mtn.com/API-collections#api=disbursement&operation=Deposit-V1
2. To receive a callback, you must include your callback URL in the X-Callback-Url header.
This URL must be hosted on the same domain specified when creating the API user.
3. The callback will be a POST request, and the payload will be similar to the response returned by the status check API for the same operation.
NOTE: By implementing status polling, you can ensure transaction completion even in cases where the callback is missed.
Approved Intermediate CA's for Open API
For Open API callbacks to function, the 3PP Intermediate certificate chains must be imported on the OpenAPI Partner Gateway tls_keystore and callback URLs are required to use https L7 protocol:
CN - Refers to the Common name of the immediate intermediate CA Chain
Alias - Refers to the name that is used while storing the Certificate in PG's tls_keystore
Below is the list of Approved Intermediate CA's that's already available to use:
NOTE: Incase any Partner's callback URL is not part of the Approved Intermediate CA's, callbacks might not work for the said Partners.
| Alias | CN |
|---|---|
| amazon_root_ca_1_starfield_services_root_certificate_authority_g2 | CN=Amazon Root CA 1, O=Amazon, C=US |
| amazonrca4 | CN=Amazon Root CA 4, O=Amazon, C=US |
| amazonintermediatecert | CN=Amazon RSA 2048 M01, O=Amazon, C=US |
| amazon_rsa_2048_m02_amazon_root_ca_1 | CN=Amazon RSA 2048 M02, O=Amazon, C=US |
| amazon_rsa_2048 | CN=Amazon RSA 2048 M03, O=Amazon, C=US |
| amazonca1b | CN=Amazon, OU=Server CA 1B, O=Amazon, C=US |
| certum_domain_validation_ca_sha2_certum_trusted_network_ca | CN=Certum Domain Validation CA SHA2, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL |
| comodo_rsa_domain_validation_secure_server_ca | CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB |
| digicert global g2 tls rsa sha256 2020 ca1 | CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US |
| digicert global root g2 | CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
| digicert_sha2_high_assurance_server_ca | CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US |
| digicert_sha2_secure_server_ca | CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US |
| digicert_tls_rsa_sha256_2020_ca1 | CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US |
| e1 | CN=DPDHL Global TLS CA - I5, O=Deutsche Post AG, C=DE |
| encryption_everywhere_dv_tls_ca_-_g1 | CN=DPDHL Global TLS CA - I5, O=Deutsche Post AG, C=DE |
| e7 | CN=E7, O=Let's Encrypt, C=US |
| encryption everywhere dv tls ca - g1 | CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US |
| ee_ca-g2 | CN=Encryption Everywhere DV TLS CA - G2, OU=www.digicert.com, O=DigiCert Inc, C=US |
| entrustl1k_.entrustrootca-g2 | CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US |
| entrust_ov_tls-issuing_rsa_ca_1 | CN=Entrust OV TLS Issuing RSA CA 1, O=SSL Corporation, C=US |
| gandi_ca3 | CN=Gandi RSA Domain Validation Secure Server CA 3, O=Gandi, C=FR |
| geotrust_ev_rsa_ca_2018 | CN=GeoTrust EV RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US |
| geotrust_global_tls_rsa4096_sha256_2022_ca1 | CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US |
| geotrust_rsa_ca_2018 | CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US |
| geostrust_ca_g1 | CN=GeoTrust TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US |
| globalsign_ca_r3 | CN=GlobalSign Atlas R3 DV TLS CA 2024 Q3, O=GlobalSign nv-sa, C=BE |
| globalsign_ca_r6 | CN=GlobalSign GCC R6 AlphaSSL CA 2023, O=GlobalSign nv-sa, C=BE |
| globalsign_gcc_r6_alphassl_ca_2025 | CN=GlobalSign GCC R6 AlphaSSL CA 2025, O=GlobalSign nv-sa, C=BE |
| globalsign_rsa_ov_ssl_ca_2018 | CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE |
| go daddy secure certificate authority - g2 | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US |
| go daddy secure certificate authority - g2.crt | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US |
| go_daddy_secure_certificate_authority_-_g2 | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US |
| gogetssl_rsa_dv_ca | CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV |
| gts_ca_1c3 | CN=GTS CA 1C3, O=Google Trust Services LLC, C=US |
| gts_ca_1d4 | CN=GTS CA 1D4, O=Google Trust Services LLC, C=US |
| isrg root x1_new1 | CN=ISRG Root X1, O=Internet Security Research Group, C=US |
| azure_rsa_ca3 | CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US |
| azure_rsa_ca7 | CN=Microsoft Azure RSA TLS Issuing CA 07, O=Microsoft Corporation, C=US |
| alpayintermediate | CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US |
| rapidssl global tls rsa4096 sha256 2022 ca1.crt | CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US |
| rapidssl_tls_rsa_ca_g1 | CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US |
| sectigo_ecc_domain_validation_secure_server_ca | CN=Sectigo ECC Domain Validation Secure Server CA 2, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB |
| sectigo_public_server_authentication_ca_dv_r36 | CN=Sectigo Public Server Authentication CA DV R36, O=Sectigo Limited, C=GB |
| sectigo_rsa_domain_validation_secure_server_ca | CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB |
| sectigo_rsa_organization_validation_secure_server_ca | CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB |
| ssl.com_rsa_ssl_subca | CN=SSL.com RSA SSL subCA, O=SSL Corporation, L=Houston, ST=Texas, C=US |
| starfield_services_root_certificate_authority_g2 | CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US |
| 3pp_ca-bundle | CN=Starfield Services Root Certificate Authority, OU=http://certificates.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US |
| thawte_ev_rsa_ca_2018 | CN=Thawte EV RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US |
| digicert_g_r2 | CN=Thawte EV RSA CA G2, O=DigiCert Inc, C=US |
| thawte_rsa_ca_2018 | CN=Thawte RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US |
| thawte_tls_rsa_ca_g1_digicert_global_root_g2 | CN=Thawte TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US |
| usertrust_rsa_certification_authority | CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US |
| we1 | CN=WE1, O=Google Trust Services, C=US |
| we1_gts | CN=WE1, O=Google Trust Services, C=US |
| we2 | CN=WE2, O=Google Trust Services, C=US |
| wr2 | CN=WR2, O=Google Trust Services, C=US |
| wr3 | CN=WR3, O=Google Trust Services, C=US |
| wr4 | CN=WR4, O=Google Trust Services, C=US |
| zerossl_rsa_domain_secure_site_ca | CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT |
| viking_ca1 | CN="Viking Cloud Organization Validation CA, Level 1", O="Viking Cloud, Inc.", C=US |
← Common Error Codes Brand Guidelines →