# Handling API Responses

#### Validating API Signatures

{% hint style="warning" %}
For every API response, you must validate the signature from the API is valid with your merchant secret, in order to protect from man in the middle attacks 
{% endhint %}

```php
//PHP
//Use the createBreathePaySignature function we created earlier to verify the responses signature 
if(isset($response['signature'])) {
  $signature = $response['signature'];
  unset($response['signature']);
  
  if($signature !== $this->createBreathePaySignature($response, YOUR_MERCHANT_SECRET)) {
    //SIGNATURE INVALID, TRANSACTION IS COMPROMISED
  }
}
```

#### Successful Response

{% hint style="success" %}
Successful responses return a status code of **0**
{% endhint %}

```php
//PHP
if($response['responseCode'] == 0) {
    //If it was a charge request, store these values for reconcilliation and refunds
    $txId = $response['transactionID'];
    $xref = $response['xref'];
}
```

#### Error Response

{% hint style="warning" %}
Error responses return a status code that is neither 0 for 65802
{% endhint %}

<pre class="language-php"><code class="lang-php"><strong>//PHP
</strong><strong>if($response['responseCode'] != 0 &#x26;&#x26; $response['responseCode'] != 65802) {
</strong>    //Handle error
}
</code></pre>