Verification is not working for my URL

I am setting up a page for order.created webhook to post to on my website. The problem that I am running into is that the PHP code that is provided by Square to verify that the request came from Square is not working with the webhook that I set up in my Square Sandbox. Even when running the code below, the 403 response code is being returned when testing from the Square Sandbox.

If I remove the call to the isFromSquare method from my actual (not the test script posted below) PHP script, the request saves to the database as expected.

Please advise what I am missing or doing wrong.

Web page code

// The URL where event notifications are sent.
define("NOTIFICATION_URL", "");

// The signature key defined for the subscription.
define("SIGNATURE_KEY", "_xRrk2tI9p6m429xcKxWFg");

// isFromSquare generates a signature from the url and body and compares it to the Square signature header.
function isFromSquare($signature, $body) {
  $hash = hash_hmac("sha256", NOTIFICATION_URL.$body, SIGNATURE_KEY, true);
  return  base64_encode($hash) == $signature;

// Start a simple server for local testing.
// Different frameworks may provide the raw request body in other ways.
// 1. Run the server:
//    php -S localhost:8000 server.php
// 2. Send the following request from a separate terminal:
//    curl -vX POST localhost:8000 -d '{"hello":"world"}' -H "X-Square-HmacSha256-Signature: 2kRE5qRU2tR+tBGlDwMEw2avJ7QM4ikPYD/PJ3bd9Og="

$headers = apache_request_headers();
$signature = $headers["X-Square-HmacSha256-Signature"];

$body = '';
$handle = fopen('php://input', 'r');
while(!feof($handle)) {
    $body .= fread($handle, 1024);

if (isFromSquare($signature, $body)) {
  // Signature is valid. Return 200 OK.
  echo "Request body: $body\n";
} else {
  // Signature is invalid. Return 403 Forbidden.
return http_response_code();

Endpoint details





Would you mind providing an example of a body that’s failing? Also, what version of PHP on what platform? We’re thinking its some sort of encoding issue. :slightly_smiling_face:

This is the body that Square is sending to the end point

  "merchant_id": "MLTSXAHHFPBM9",
  "type": "order.created",
  "event_id": "537e5134-76d0-42a8-86da-4bfefefa8dba",
  "created_at": "2022-11-18T23:42:23.310414419Z",
  "data": {
    "type": "order",
    "id": "eA3vssLHKJrv9H0IdJCM3gNqfdcZY",
    "object": {
      "order_created": {
        "created_at": "2020-04-16T23:14:26.129Z",
        "location_id": "FPYCBCHYMXFK1",
        "order_id": "eA3vssLHKJrv9H0IdJCM3gNqfdcZY",
        "state": "OPEN",
        "version": 1

images of the logs created from the latest request to the endpoint

Thanks, what version of PHP are you using? :slightly_smiling_face:

Originally 7.4 on Linux. Currently running 8.1 on Linux

Thanks, the team is looking into this. :slightly_smiling_face:


Is there any update on this?

I believe the team put out a fix for this. Looking into it. :slightly_smiling_face: