What does this mean? How to do it?
"You should validate the postback source, that is, if it was actually sent by Pay.me.
To do this, you must calculate the HMAC-SHA1 of the body of the HTTP request and compare it with the X-Hub-Signature header.
postback_body by the body content of the postback HTTP request, 1213e67a3b34c2848f8317d29bcb8cbc9e0979b8 by the signature received on X-Hub-Signature, ak_test_grXijQ4GicOa2BLGZrDRTR5qNQxJW0 by your available API key on your Dashboard.
The X-Hub-Signature is the HMAC-SHA1 hash calculated from the body of the HTTP request with its Pay Per Key API as a key.