This signature allows your server to verify that the webhook originated from Fiato and that its content has not been tampered with.

When Fiato sends a webhook, it includes an x-fiato-signature header generated using HMAC-SHA256 encryption. The signature is derived by hashing the raw request body with your Fiato Webhook Secret Key.

Your server should recompute the HMAC signature on your end using the same secret key and compare it to the value in the x-fiato-signature header. If both signatures match, the webhook is verified as genuine.

To verify the webhook, you must:

Retrieve the raw request body.
Compute a new HMAC-SHA256 hash using your Merchant API Key (the same one registered with Fiato) and the RAW payload data.
Compare your computed hash to the one in the fiato-signature header.
Process the webhook only if they match.

<?php
// Replace with your actual merchant API key
$merchant_api_key = 'YOUR_MERCHANT_API_KEY';

// Get raw body and signature from Fiato webhook
$payload = file_get_contents('php://input');
$fiato_signature = $_SERVER['HTTP_FIATO_SIGNATURE'] ?? '';

// Recompute HMAC-SHA256 signature (binary output = true)
$computed_signature = hash_hmac('sha256', $payload, $merchant_api_key, true);

// Convert both to base64 or binary-safe compare
$is_valid = hash_equals($computed_signature, $fiato_signature);

if ($is_valid) {
    // Process the webhook data...
} else {
   // Discard the webhook data...
}
?>