Every IPN received from OrbPay has in the header the hex-encoded SHA1 HMAC signature of a raw IPN body, computed using your callback Secret as the key. To authenticate the IPNs you receive on your Callback URL you should 

  1. You use SHA1 for hashing the body of the IPN with your callback Secret.
  2. You compare x-orbpay-signature value from the header to the hash you've got after hashing the callback body.

Every new callback request will have a new value of the x-orbpay-signature header. Ensure you are comparing the hash with the right header.

Did this answer your question?