Verifying a Patreon webhook hash in PHP

I’m working on a Patreon integration for and needed to verify the hash that is sent with the headers by Patreon. I’m using Laravel, but this can easily be tweaked to fit whatever:

// This example can be copied and pasted into Laravel.
// If you're not using Laravel, change the $request related stuff into PHP's native stuff (e.g. file_get_contents("php:///input") etc.)
function verifyPatreonHash(Request $request) {
$patreonBody = $request->getContent(); // This is the raw **body** of the request, which will be JSON (but don't json_decode it!)
$patreonSignature = $request->header('X-Patreon-Signature'); // And this is the header from Patreon
$webhookSecret = "Patreon Webhook Secret Here"; // This'll be the secret Patreon gave you when you created the webhook
$webhookHash = hash_hmac('md5', $patreonBody, $webhookSecret); // This is the hash we've calculated, based on the body and the secret
if(strtolower($webhookHash) == strtolower($patreonSignature)) {
return true; // Verification succeeded
} else {
return false; // Verification failed
view raw index.php hosted with ❤ by GitHub

Leave a Reply