How to verify Webhook Signature with PHP script

i read this document calculation signature and caculate signature

My source code like this

        $accessKey = <my_access_key>;
        $secretKey = <my_secret_key>;
        $urlPath =  <my_entire _url>; // example:
        $salt = $request->header('salt', null);
        $timestamp = $request->header('timestamp', null);
        $body = $request->all();

        $bodyString = $body && !is_null($body) ? json_encode($body, JSON_UNESCAPED_SLASHES) : '';
        $signatureString = "$path$salt$timestamp$accessKey$secretKey$bodyString";
        $hashSignature = hash_hmac("sha256", $signatureString, $secretKey);
	    $signature = base64_encode($hashSignature);

But my caculator signature is not compare with signature of Rapyd webhook header. Please help me answer why?
Thank for support!

Thanks @Ha_Tr_n. This can happen if our body string is different. The $body_string format should be JSON format, but in the format of a string with no spaces.

For example, if the body is: { "hello": "world" }

It should encoded to a string as: {"hello":"world"}

I do suggest creating a ticket at and our support team can help you with all of your sensitive information.

Thank @Kyle. I checked my body string, but i think “string with no spaces” is not the correct reason.

i send a request to your support team. Hope you help me resolve my issue.

Best Regards,

1 Like

Thanks @Ha_Tr_n, how’s it going? Have you tried using the Request Signatures example:

$body = array();                     // JSON body goes here. Always empty for GET; 
                                     // strip nonfunctional whitespace.
$body_string = json_encode($body);

Compared to:

$body = $request->all();

$bodyString = $body && !is_null($body) ? json_encode($body, JSON_UNESCAPED_SLASHES) : '';

Just an update here - after asking around a lot, I discovered that there are 2 issues that can mess up the string that is hashed:

  • All spaces and other whitespace outside of strings must be removed.
  • Numbers should be sent in strings, not as numbers.