Developer
Callback Signature Verification.
Callback Verification Example (PHP)
<?php
// Step 1: Get raw POST data from callback
$json = file_get_contents("php://input");
$data = json_decode($json, true);
// Step 2: Extract the signature from the payload
$receivedSignature = $data['signature'] ?? '';
// Step 3: Remove the signature before verification
unset($data['signature']);
// Step 4: Recreate the payload as JSON string
$payload = json_encode($data);
// Step 5: Recalculate the signature using the shared secret
$secretKey = 'your_shared_secret_key_here';
$calculatedSignature = hash_hmac('sha256', $payload, $secretKey);
// Step 6: Compare signatures securely
if (hash_equals($calculatedSignature, $receivedSignature)) {
// ✅ Signature is valid – process payment
http_response_code(200);
echo 'Callback verified successfully';
} else {
// ❌ Signature is invalid – reject request
http_response_code(403);
echo 'Invalid callback signature';
}
?>