Server-side only. Never put the API key in JavaScript that runs in the browser.
<?php
function orderger_send_order(array $payload): array {
$apiKey = getenv('ORDERGER_API_KEY');
$branchId = getenv('ORDERGER_BRANCH_ID');
$base = 'https://orderger-api.hamidalqwaysim.workers.dev';
$ch = curl_init($base . '/api/v1/orders');
curl_setopt_array($ch, [
CURLOPT_HTTPHEADER => [
'Authorization: Bearer ' . $apiKey,
'X-OrderGer-Branch-ID: ' . $branchId,
'Content-Type: application/json',
],
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode($payload, JSON_UNESCAPED_UNICODE),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 15,
]);
$resp = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$body = json_decode($resp, true) ?: ['_raw' => $resp];
if ($code < 200 || $code >= 300) {
error_log('OrderGer FAIL ' . $resp);
return $body + ['success' => false];
}
return $body + ['success' => true];
}
function orderger_verify_webhook(string $rawBody, string $signatureHeader, string $secret): bool {
if (strpos($signatureHeader, 'sha256=') !== 0) return false;
$expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);
return hash_equals($expected, $signatureHeader);
}