Payload Signature

In order to verify that the payload has not been tempered with when you received the webhook, you can use the payload of the request and your secret to calculate the signature and compare it with the one in the signature header of the request.

// Payload is the post request body.
// Secret is set in your webhook settings.

$payloadJson = json_encode($payload); 

$signature = hash_hmac('sha256', $payloadJson, $secret);