Skip to main content
Published: January 14 2008, 12:15:00 PMUpdated: August 04 2022, 9:27:36 PM

Notification signatures sent with a notification should be verified. Here's how to do it in PHP.

When eBay sends you a notification, it also sends you a "signature" field in the SOAP header. This signature field is derived from four items :
- Your DevID
- Your AppID
- Your CertID
- Timestamp of the notification

The first three items constitute your keyset (sandbox or production).

You know your keyset (and should be kept confidential), and the timestamp is in the SOAP body. Here's how to verify with PHP code that the notification signature is valid :



// Sample keyset values. Use sandbox or production values 
$devid = 'YOUR-VALUE-9a66-3f359d933e5d'; 
$appid = 'YOUR-VALUE-abf3-92bdc3bcd29d'; 
$certid = 'YOUR-VALUE-43b2-b306-c537a0c83e7f'; 
// These two values are pulled from the notification SOAP payload 
// You need to parse these values from the returned XML 
// This comes from SOAP Header NotificationSignature field 
$sigNote = 'boVG+scoxB694oFeCgUHGw=='; 
// This comes from SOAP Body Timestamp field 
$ebayTimestamp = '2022-01-14T18:35:50.478Z'; 
//The code to calculate the signature looks like this: 
$md5_Str = $ebayTimestamp . $devid . $appid . $certid; 

$sigCalc = base64_encode(pack("H*", md5($md5_Str))); // 'H*' means hex string, to end of data 
// These two values should be equal 
print "sigNote = $sigNote \n"; // signature from notification (parsed XML) 
print "sigCalc = $sigCalc \n\n"; // signature calculated from your keyset & timestamp 
if ($sigNote == $sigCalc) { 
    print "Two signatures are equivalent -- valid notification. \n"; 
} else { 
    print "Payload and calculated signatures differ - invalid notification \n"; 


How well did this answer your question?
Answers others found helpful

Got thoughts? Click the feedback button – your insights help us improve!