I have an application that uses webhook to track events of twitter. for example follow, … However, I want to use the signature header x-twitter-webhooks-signature to ensure the security of the data. I have read the twitter guide document . I use the HMAC SHA-256 in php at Hash_mac PHP but it returns a string unlike x-twitter-webhooks-signature. (my application is developed on laravel)
This is my coding like this 
$requestBody = file_get_contents('php://input');
// Verify if the request comes from Twitter
$signature =$request->header('x-twitter-webhooks-signature');
if (! Twitter::verifySignature($signature, $requestBody)) {
header('HTTP/1.1 403 Forbidden');
die('Invalid signature');
}
---------------------------
class Twitter
{
/**
* Creates a HMAC SHA-256 hash created from the Twitter app consumer secret
* @param token the token provided by the incoming GET request
* @return string
*/
public static function getChallengeResponse($token)
{
$hash = hash_hmac('sha256', $token, getenv('TWITTER_APP_CONSUMER_SECRET'), true);
return [
'response_token' => 'sha256=' . base64_encode($hash)
];
}
/**
* Verifies a payload signature
* @param string $signature
* @param string $payload
* @return bool Is the signature correct ?
*/
public static function verifySignature($signature, $payload)
{
return ($signature === 'sha256='.base64_encode(hash_hmac('sha256', $payload, getenv('TWITTER_APP_CONSUMER_SECRET'), true)));
}
}
Thanks.
