Skip to main content

Signature Validation


Signature Validation

Since your webhook URL is publicly available, you need to verify that events are truly originating from Curacel and not an unauthorized entity. Therefore, you need to check for authenticity using the Webhook Secret which you specified in the webhook settings of your dashboard.

The events sent from Curacel carry the x-curacel-signature header. The value of this header is an HMAC SHA256 signature of the event payload signed using your webhook secret. Verifying the header signature should be done before processing the event:

<?php
// ensure it's post request with the curacel signature header
if ((strtoupper($_SERVER['REQUEST_METHOD']) != 'POST' ) || !array_key_exists('x-curacel-signature', $_SERVER) )
exit();

// Retrieve the request's body
$input = @file_get_contents("php://input");

// validate event
if($_SERVER['HTTP_X_CURACEL_SIGNATURE'] !== hash_hmac('sha256', $input, WEBHOOK_SECRET))
exit();

http_response_code(200);

// parse event (which is json string) as object
// Do something - that will not take long - with $event
$event = json_decode($input);

exit();
?>