Qiwi

How to check the integrity of the hash in the QIWI API using the SDK and answer that everything is correct?

Greetings! I can create a request using the QIWI PHP SDK, but I also need to check that the payment has been paid, take the appropriate actions, and then send a message to the service that the verification was successful.
To do this, I created a good.php file, in the API settings I indicated that a POST request would come to it. I wrote code in it so that it takes data from the header X-Api-Signature-SHA256, then takes an array of data (in JSON format) that comes in the request body, recodes it into a regular PHP array.
Checked and all data is displayed successfully. But it is not clear how the function works checkNotificationSignature, what parameters to set for it.
The first parameter is $signature. I take it from the header X-Api-Signature-SHA256
The second parameter is $notificationBody. I take it from the data array.
The third parameter is$merchantSecret. And here I xs where to take it. Is it a secret key, from a key pair that QIWI issues or what?
The function then returns true or false. Based on her answer, I need to send back a JSON array. Question: how can I send it back using CURL if I don't know where exactly it came from?