A signature that can be verified on game's backend server. Server side validation can be done by following these steps:
- Split the signature into two parts delimited by the
- Decode the first part with base64url encoding, which should be a hash.
- Decode the second part with base64url encoding, which should be a string representation of an JSON object.
- Hash the second part string using HMAC SHA-256 and the app secret, check if it is identical to the hash from step 2.
- Optionally, developer can also validate the timestamp to see if the request is made recently.