How bKash Payment Integration Works: A Technical Overview
bKash is the leading Mobile Financial Services (MFS) provider in Bangladesh, serving over 70 million active wallets. For any e-commerce platform, digital subscription service, or SaaS portal operating in the country, integrating bKash checkouts is critical to converting traffic into sales. In this article, we'll dive into the technical architecture of bKash payment integrations and how to implement them efficiently.
The Tokenized Checkout Architecture
Modern bKash merchant API integrations utilize a tokenized checkout flow. This represents a major security upgrade from older API structures, ensuring customer credentials (MFS account numbers and OTP verification pins) are handled entirely within secure bKash iframe layers, keeping merchant servers clean of liability.
The API Handshake Workflow
A typical bKash payment handshake consists of the following phases:
- Token Request: Your backend makes a secure POST call to bKash authentication servers containing your app key, app secret, username, and password to request a temporary access token.
- Payment Creation: Using the active access token, your server posts the transaction details (amount, order reference ID, BDT currency type) to the create payment endpoint. bKash returns a secure iframe link.
- Iframe Render: Your client web browser opens the returned iframe link. The customer inputs their bKash phone number, verifies a one-time SMS pin (OTP), and completes verification by inputting their wallet PIN.
- Payment Execution: Once the customer inputs their PIN, your server intercepts the successful callback session token and fires an execute payment command to finalize fund movement.
Integrating via BDGate Aggregator
Developing direct bKash tokenized API connections requires merchant validation credentials issued via commercial banking channels, which can take weeks to configure. BDGate abstracts this setup complexity. By linking your systems to our unified RESTful API, you gain full access to bKash checkouts immediately without managing separate token handshakes or multi-key structures.