Verify Webhook Signature?

Hello everyone!

I have a question related Rapyd webhook. I want to verify the signature get from webhook. I am PHP Developer and this is my code:

$access_key = 'access-key'; // get from Dashboard
$secret_key = 'secret-key'; // get from Dashboard

$salt = 'epiAT7douEg/9ezxZzoByA=='; // get from webhook header
$timestamp = 1642058448; // get from webhook header
$signature_from_webhook = 'base-64-value'; // get from webhook header

// Data from payment hook
$request = json_decode(file_get_contents("php://input"), true); // array value
$body_string = json_encode($body,JSON_UNESCAPED_SLASHES);

// Calulate signature to verify
$sig_string = $path.$salt.$timestamp.$access_key.$secret_key.$body_string;
$hash_sig_string = hash_hmac("sha256", $sig_string, $secret_key);
$my_signature = base64_encode($hash_sig_string);

// Why $my_signature always different from $signature_from_webhook??


So, my question is why signature i calulated always different from the webhook?

(I think the $path, $salt, $timestamp, $access_key, $secret_key is always right! How about $body_string format)

Thank you for your reading!

[Additional Info] I reference code and docs from:

Thanks @Minh_Nguy_n_Van.

This can happen in the $body_string format as you suspect.

One thing to note, the body should be JSON format, but in the format of a string with no spaces.

For example, if the body is: { "hello": "world" }

It should encoded to a string as: {"hello":"world"}

Does this help? You can also complete a ticket at and our support team can help you with all of your sensitive information.