") in hex. Nested objects (extra etc.) are serialized as compact JSON with keys sorted before signing. Replace placeholders with your real credentials. $baseUrl = ""; $merchantNo = ""; $apiKey = ""; $apiSecret = ""; $payload = [ 'merchant_no' => $merchantNo, 'api_key' => $apiKey, 'timestamp' => time(), 'nonce' => 'random-xyz', 'out_order_no' => '202501010001', 'amount' => 10000, 'currency' => 'PHP', 'pay_method' => 'gcash', 'country' => 'PH', 'notify_url' => 'https://merchant.example.com/api/notify/pay', 'extra' => [ 'customer' => [ 'first_name' => '', 'last_name' => '', 'email' => '', 'phone' => '', ], ], ]; function ksort_recursive(&$a) { if (is_array($a)) { ksort($a); foreach ($a as &$v) { ksort_recursive($v); } } } function stable_value($v) { if (is_array($v)) { ksort_recursive($v); return json_encode($v, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE); } return (string)$v; } ksort($payload); $parts = []; foreach ($payload as $k => $v) { if ($k === 'sign' || $v === null) { continue; } $parts[] = $k . "=" . stable_value($v); } $raw = implode("&", $parts) . "&secret=" . $apiSecret; $sign = hash_hmac("sha256", $raw, $apiSecret); $payload["sign"] = $sign; $ch = curl_init($baseUrl . "/merchant/pay/create"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $resp = curl_exec($ch); curl_close($ch); echo $resp;