Verify signatures¶

Postpay signs the webhook events it sends to your endpoints by including a signature in each event’s X-Postpay-Signature header. This allows you to verify that the events were sent by Postpay, not by a third party.

use Postpay\Http\Signature;

$is_valid = Signature::verify($payload, $header, $secret);

if (!$is_valid) {
    http_response_code(403);
    exit();
}

Parameter	Type	Description
payload	String❗	The event payload.
header	String❗	The HTTP `X-Postpay-Signature` header.
secret	String❗	The hook secret will be used as the key to generate the HMAC hex digest.
tolerance	Integer	Maximum difference allowed between the header’s timestamp and the current time in order to prevent Replay attacks. Default: `300`.