Undefined array key "X-Square-HmacSha256-Signature

I keep getting this error Undefined array key "X-Square-HmacSha256-Signature

Here is the code:

function isFromSquare($signature, $body) {
$hash = hash_hmac(“sha256”, NOTIFICATION_URL, $body, SIGNATURE_KEY, true);
return base64_encode($hash) == $signature;

$headers = apache_request_headers();
$signature = $headers[“X-Square-HmacSha256-Signature”];

my php version is 8.0

Are you getting this with our example Webhook event notification validation in PHP?


require 'vendor/autoload.php';
use Square\Utils\WebhooksHelper;

// The URL where event notifications are sent.
define("NOTIFICATION_URL", "https://example.com/webhook");

// The signature key defined for the subscription.
define("SIGNATURE_KEY", "asdf1234");

// Start a simple server for local testing.
// Different frameworks may provide the raw request body in other ways.
// 1. Run the server:
//    php -S localhost:8000 server.php
// 2. Send the following request from a separate terminal:
//    curl -vX POST localhost:8000 -d '{"hello":"world"}' -H "X-Square-HmacSha256-Signature: 2kRE5qRU2tR+tBGlDwMEw2avJ7QM4ikPYD/PJ3bd9Og="

$headers = apache_request_headers();
$signature = $headers["X-Square-HmacSha256-Signature"];

$body = '';   
$handle = fopen('php://input', 'r');
while(!feof($handle)) {
    $body .= fread($handle, 1024);

if (WebhooksHelper::isValidWebhookEventSignature($body, $signature, SIGNATURE_KEY, NOTIFICATION_URL)) {
    // Signature is valid. Return 200 OK.
    echo "Request body: $body\n";
} else {
  // Signature is invalid. Return 403 Forbidden.
    // Signature is invalid. Return 403 Forbidden.
return http_response_code();

Do you have any additional details? Also whats your application ID? :slight_smile:

Hi wizard2475 (and Bryan-Square)
Had a similar issue so wrote header response to a database and found that the header key is actually ‘X-Square-Hmacsha256-Signature’ instead of ‘X-Square-HmacSha256-Signature’. This edit worked for me.

Thanks for sharing your findings. @wizard2475 did the change to X-Square-Hmacsha256-Signature work? I’ll be sharing this with the team. :slight_smile:

Yes, appears it is just a typo

That fixed the one error but I’m still getting response codes 302. Looks like I’m still missing something

Thank You

Wasn’t aware of the 302 response. Is that an HTTP response? What’s the error? :slight_smile:

Here’s what it said:

square-initial-delivery-timestamp: 2023-08-25T10:25:30Z
x-square-signature: XXX(removed)
content-length: 1453
square-environment: Sandbox
square-retry-number: 14
square-version: 2023-07-20
host: yourcitysafe.com
content-type: application/json
x-square-hmacsha256-signature: RxWiS7Js8KlT8lE2poqkNLXh4FPtNtTVWr2OpR3x0+c=
square-retry-reason: http_error
accept: */*
user-agent: Square Connect v2

  "merchant_id": "ML081T3MA6AEZ",
  "type": "payment.updated",
  "event_id": "1a10eef7-ae15-3608-a684-b3f3f3624455",
  "created_at": "2023-08-25T10:25:28.124Z",
  "data": {
    "type": "payment",
    "id": "(removed)9MZY",
    "object": {
      "payment": {
        "amount_money": {
          "amount": 3016,
          "currency": "USD"
        "application_details": {
          "application_id": "sandbox-sq0idb-XV8bg17cydkbTE6j7gd2hw",
          "square_product": "ECOMMERCE_API"
        "approved_money": {
          "amount": 3016,
          "currency": "USD"
        "card_details": {
          "avs_status": "AVS_ACCEPTED",
          "card": {
            "bin": "510510",
            "card_brand": "MASTERCARD",
            "card_type": "CREDIT",
            "exp_month": 4,
            "exp_year": 2025,
            "fingerprint": "sq-1-guPiWQoq5SeyicrKBtkpL-9nlDXG3Pgoz6ubvfP7brymoBfXCBYbWU1fiBOL0cP2fA",
            "last_4": "5100",
            "prepaid_type": "NOT_PREPAID"
          "card_payment_timeline": {
            "authorized_at": "2023-08-25T10:25:26.505Z",
            "captured_at": "2023-08-25T10:25:26.578Z"
          "cvv_status": "CVV_ACCEPTED",
          "entry_method": "KEYED",
          "statement_description": "SQ *DEFAULT TEST ACCOUNT",
          "status": "CAPTURED"
        "created_at": "2023-08-25T10:25:26.392Z",
        "delay_action": "CANCEL",
        "delay_duration": "PT168H",
        "delayed_until": "2023-09-01T10:25:26.392Z",
        "id": "b7PCXytqj1imG12yomXUVyHuK9MZY",
        "location_id": "L0VB77Z2J928B",
        "order_id": "PlEFCgyz0ByJMPxIxGLCHXLfoBLZY",
        "receipt_number": "b7PC",
        "receipt_url": "https://squareupsandbox.com/receipt/preview/b7PCXytqj1imG12yomXUVyHuK9MZY",
        "source_type": "CARD",
        "status": "COMPLETED",
        "total_money": {
          "amount": 3016,
          "currency": "USD"
        "updated_at": "2023-08-25T10:25:28.121Z",
        "version": 2

Okay, great! That’s the webhook event. I took a look at your logs and see the 302 you mentioned. That’s the response from your server that’s logged. A 302 is a found response. We recommend that you respond with a 2xx within 10 seconds of receiving the event. :slight_smile: