Every IPN received from OrbPay has in the header the hex-encoded SHA1 HMAC signature of a raw IPN body, computed using your callback Secret as the key. To authenticate the IPNs you receive on your Callback URL you should
- You use SHA1 for hashing the body of the IPN with your callback Secret.
- You compare x-orbpay-signature value from the header to the hash you've got after hashing the callback body.
Every new callback request will have a new value of the x-orbpay-signature header. Ensure you are comparing the hash with the right header.