mbpay
Live · matching SMS in under 2 seconds

Accept MFS payments, verified automatically.

mbpay matches your customers' transaction IDs against the SMS your merchant device receives, then fires a signed webhook the moment a payment is confirmed. No funds custody. No manual reconciliation.

Create a merchant accountRead the docs

Supports

bKashNagadRocketUpayTap
Live verificationMatched in 1.4s
bKashnow

Cash In Tk 2,500.00 from 01XXXXXXXXX successful. TrxID 8H49KCAB12

TrxID matched against SMS

amount · provider · time-window ✓

POST /webhooks/mbpay

signed · 200 OK · HMAC verified

Tk ✓
0

MFS providers supported

0.0s

Average match latency

0.0%

Webhook delivery success

0

Funds we touch (we never custody money)

How it works

Three steps. Under two seconds.

No payment gateway accounts. No reseller agreements. Your merchant number stays yours — we just read the SMS your phone already receives and prove the payment to your backend.

01

Customer pays from their MFS app

On your checkout, mbpay shows the merchant phone number and the exact amount. The customer opens bKash/Nagad/Rocket/Upay/Tap on their own phone and sends the money normally — same flow they already know.

02

Your phone forwards the MFS SMS

The mbpay Android app, running on the agent's device, reads incoming MFS notifications and forwards them to our backend over WebSocket within ~1 second of the SMS landing.

03

mbpay matches + signs a webhook

Customer submits their TrxID on the hosted checkout. We match it against the ingested SMS for amount + provider + time-window, then POST a signed HMAC webhook to your endpoint. You credit the customer.

Webhook payload includes HMAC signature, payment id, txn id, amount, provider, and your reference.

Features

Built for production from day one.

Every feature you'd build yourself in month two — already wired, audited, and documented.

Real-time SMS ingest

WebSocket forwarder on the agent's phone delivers MFS notifications within ~1 second of the SMS arriving.

HMAC-signed webhooks

Every match fires a webhook signed with your brand's rotating HMAC secret. SDK includes verifyWebhook out of the box.

Nonce-protected API

Brand-HMAC requests carry a per-request nonce stored in Redis. Replays are rejected at the edge.

Multi-device per agent

One agent, many phones. Each device has its own login and JWT. Block, rotate password, or delete any device independently.

Daily deposit caps

Per-agent and per-device daily limits, gated independently at runtime against the Asia/Dhaka calendar day.

Telegram match alerts

Per-agent and per-device chat ids. Every match fires an HTML-formatted notification with txn id, amount, and provider.

Manual match fallback

For the rare SMS that never arrives (carrier issue, parser drift), agents can confirm a payment from their dashboard with full audit trail.

Per-IP + per-payment rate limit

Layered rate limiting on the public submit endpoint, Redis-backed for multi-instance correctness.

SSRF-guarded webhooks

Outbound webhook URLs are resolved and blocked if they point to private, loopback, or link-local addresses.

Providers

Every MFS in Bangladesh that matters.

Parsers for the full lineup of provider SMS formats. Real production samples, not best guesses.

bKash logo

bKash

live

Personal + Merchant + Agent SMS templates

Send MoneyCash OutPayment
Nagad logo

Nagad

live

Multi-line SMS parsed with dotall regex

Money ReceivedCash Out Received
Rocket logo

Rocket

live

DBBL Rocket transaction notifications

Cash InSend Money
Upay logo

Upay

live

UCB Upay transaction notifications

Cash InPayment
Tap logo

Tap

live

Tap by TMSS transaction notifications

Receive Money

Need another provider?

Send us 3 real SMS samples — typical turnaround is 24h to add support.

Integration

Five lines.
Then redirect.

The official mbpay SDK handles HMAC signing, request signing, and webhook verification. Drop it in, set three env vars, ship.

$pnpm add mbpay

Server-side

Node.js, Next.js (server actions), Express, Hono — anywhere you run JS.

Typed end-to-end

Zod-validated payloads, full TypeScript inference on responses and webhook events.

Read the full guideView on npm
app/checkout.ts
import { Mbpay } from 'mbpay';

const mbpay = new Mbpay({
  publicKey:  process.env.MBPAY_PUBLIC_KEY!,
  secretKey:  process.env.MBPAY_SECRET_KEY!,
  hmacSecret: process.env.MBPAY_HMAC_SECRET!,
});

"cm">// 1. Create a payment, redirect the customer:
const { payment } = await mbpay.initiatePayment({
  provider: 'bkash',
  amount:   500.00,
  endUserRef: 'order_42',
  successUrl: 'https://example.com/orders/42',
});

"cm">// 2. Send them to the hosted checkout:
redirect(payment.checkout_url);

"cm">// 3. Verify the webhook on your endpoint:
const event = mbpay.verifyWebhook(rawBody, signature);
if (event.status === 'matched') {
  await creditCustomer(event.endUserRef);
}

FAQ

Common questions.

No. mbpay never touches funds. Payments go directly from the customer's MFS account to the phone number you control. We just prove that the payment happened by matching the customer-submitted TrxID against the SMS your merchant phone receives.

Stop checking SMS by hand.

Set up a brand, install the Android app on the agent's phone, drop the SDK into your checkout. You're live in under an hour.

Get started — freeRead the docs

No credit card required. mbpay never holds your money.