<?php

if (empty($_SERVER['HTTP_X_CG_SIGNATURE'])) {
	//invalid
}

$rawBody = file_get_contents('php://input');
$token = md5($rawBody);

// check signature
if ($_SERVER['HTTP_X_CG_SIGNATURE'] != hash_hmac('sha256',$token,$productKey)) {
	//invalid
}