Each webhook Loop sends contains the X-Loop-Signature header with the value that should be checked to ensure the webhook came from Loop's system.

We generate the value using the SHA256 algorithm.

Here is an example in PHP:

<?php
  
$encoded = base64_encode(hash_hmac('sha256', $jsonPayload, '<SECRET>', true));