Request signature in PHP

This article presents a sample implementation of a request signature in PHP.

# Dependencies

No external dependencies are required to generate the signature.

# Example

The following simple example implements the algorithm described in the Request signature guide. The most important thing is to use the hash_hmac function with the appropriate sha256 algorithm and give the parameters in the right order: method, url, timestamp, body.

The method parameter should be provided in uppercase and the uri should contain only the path from the URL, not the full URL address. The full URL address should be converted to /webhook?a=1.

If the algorithm works correctly, it should generate the same signature as the one given below: 56ac656c7f932c5b775be28949e90af9a2356eae2826539f10ab6526a0eec762 for the following parameters:

  • apiSecret=SECRET

  • method=POST

  • uri=http://demo.example.com/webhook?a=1

  • timestamp=1563276169752

  • body=['a' => 1]

<?php

$secret = 'SECRET';

function generateSignature($apiSecret, $method, $url, $timestamp, $body)
{
    $parsedUrl = parse_url($url);
    $uri = $parsedUrl['path'] ?? '';

    if (isset($parsedUrl['query'])) {
        $uri .= '?' . $parsedUrl['query'];
    }

    $data = $method . $uri . $timestamp;

    if ($body) {
        $data .= json_encode($body);
    }

    $hmac = hash_hmac('sha256', $data, $apiSecret);

    return $hmac;
}

$expectedSignature = '56ac656c7f932c5b775be28949e90af9a2356eae2826539f10ab6526a0eec762';
$generatedSignature = generateSignature(
    'SECRET',
    'POST',
    'http://demo.example.com/webhook?a=1',
    '1563276169752',
    ['a' => 1]
);

echo $expectedSignature === $generatedSignature ? 'true' : 'false';

# Usage

Run:

php index.php

The above code should print true in the console.