// Created on savesnippets.com · https://savesnippets.com/AL5776SqX3lygu
<?php
function verifyWebhookSig(string $rawBody, string $sigHeader, string $secret, int $tolerance = 300): bool {
    // Expecting header like: "t=1234567890,v1=abc123..."
    $parts = [];
    foreach (explode(',', $sigHeader) as $part) {
        if (str_contains($part, '=')) {
            [$k, $v] = explode('=', $part, 2);
            $parts[trim($k)] = trim($v);
        }
    }
    if (empty($parts['t']) || empty($parts['v1'])) return false;
    if (abs(time() - (int)$parts['t']) > $tolerance) return false;

    $signed   = $parts['t'] . '.' . $rawBody;
    $expected = hash_hmac('sha256', $signed, $secret);
    return hash_equals($expected, $parts['v1']);
}

$raw = file_get_contents('php://input');
$sig = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
if (!verifyWebhookSig($raw, $sig, getenv('WEBHOOK_SECRET'))) {
    http_response_code(400); exit('Bad signature');
}