Request signature verification in PHP


By exposing a public endpoint to receive events from RemoveBounce, it is important to understand the security implications.

This article presents a sample implementation of a request signature in PHP.


No external dependencies are required to generate the signature.


You need your webhook shared secret available. You can find it here.


Each request sent from RemoveBounce API will have the following headers:



The signature is generated using the SHA-256 algorithm using the API secret as secret and based on the following data:

  • timestamp – The same value as in the x-rb-webhook-timestamp header.
  • body – A string from the body for POST and PUT or an empty string for other methods.


// Extract the signature and the timestamp from the request headers
// $receivedSignature = extract 'x-rb-webhook-signature' from request headers
// $receivedTimestamp = extract 'x-rb-webhook-timestamp' from request headers

// This is an example function on how to validate the request
$secret = 'SECRET'; // This is your webhook shared secret
function generateSignature($apiSecret, $timestamp, $body)
  $data = $timestamp;
  if ($body) {
    $data .= json_encode($body);
  $hmac = hash_hmac('sha256', $data, $apiSecret);

  return $hmac;

// Compare the output of generateSignature() with $receivedSignature.
// If they match, the request is valid.