// https://developer.paddle.com/webhooks/signature-verification shows code using a `Verifier` class
// to check that the message from Paddle is authentic.
// Sadly, it doesn't explain where the value for the `$request` variable comes from. It seems you need to use
// the PSR framework for that, but I was unable to find a way to use it for getting the data for the POST
// I am handling in my webhook handler.
// Fortunately, I was able to resolve this by looking into the code of the Verifier class from the SDK.
// Here's a version that does not rely on PSR. You still haveo to install Paddle's PHP SDK, though,
// see https://github.com/PaddleHQ/paddle-php-sdk/

	require_once 'vendor/autoload.php';  // the path to your vendor dir created with "composer" tool
	use Paddle\SDK\Notifications\Secret;
	use Paddle\SDK\Notifications\PaddleSignature;
	
	$secrets = array();
	$secrets[] = new Secret("pdl_nt…");	// sandbox key
	$secrets[] = new Secret("pdl_nt……");	// production key
	$signatureData = $_SERVER['HTTP_PADDLE_SIGNATURE'];
	$signature = PaddleSignature::parse($signatureData);
	if (\time() > $signature->timestamp + 6) {
		die(1);
	}
	$rawinput = file_get_contents('php://input'); 
	$valid = $signature->verify($rawinput, ...$secrets);
	if ($valid !== true) {
		die(1);
	}