You can verify that a notification is genuinely sent from Hoiio.

This step is optional, but is highly advised.

If you do not verify the notifications, HTTP requests could be spoofed by malicious hackers, and you could be tricked into believing that Hoiio has sent you the notifications.

The Algorithm

payload = HTTP body
key = access_token
computed_signature = hex_encoded(hmac_sha256(payload, key))
notification_signature = HTTP Header X-Hoiio-Signature
if (computed_signature == notification_signature)
    // This is genuinely from Hoiio
    // Process..
else
    // This is from malicious hacker
    // Ignore!

The algorithm above computes a signature with the HTTP body and your access token (which is a secret only you and Hoiio know).

Compare the output with the custom HTTP header, X-Hoiio-Signature. The 2 signatures should match to ensure the authenticity and integrity of the notification.

You have to implement the above in your own development environment. You can refer to how signatures are computed for Java, PHP and Python.