After receiving an incoming notification, you need to verify its authenticity. For this, a digital signature mechanism is used. The notification signature is sent in the X-Api-Signature-SHA256 HTTP header. To generate the signature, the HMAC integrity check mechanism with the SHA256 hash function is used.
Signature verification algorithm:
1. Combine the values ​​of the following notification parameters into a single string with the separator |:
invoice_parameters = {amount.currency}|{amount.value}|{billId}|{siteId}|{status.value}
where {*} – parameter value. All values ​​must be treated as strings when verifying a signature.
2. Calculate HMAC hash with SHA256 hashing algorithm:
hash = HMAС(SHA256, invoice_parameters, secret_key) Where:
secret_key – function key;
invoice_parameters - string from item 1;
3. Compare the value of the X-Api-Signature-SHA256 header with the result from step 2.

The notification authorization process is necessary so that you, as the recipient of the notification, can confirm that this request actually came from QIWI
. Which of the points is not clear?
Well, Kiwi himself writes

This service is not mandatory for integration, you can implement a simpler option with polling the account status.

Very simple.
1) When registering a transaction (transfer), you save the data necessary to authorize the transaction in the web service database. The data is described in the first step in the documentation under "Notification Authorization":

invoice_parameters = {amount.currency}|{amount.value}|{billId}|{siteId}|{status.value}

2) The transfer notification comes to you in the form of a POST request, with the request body there are examples in the documentation. From the headers of the request, you take the header X-Api-Signature-SHA256. Referring to the database, you pull out the data for authorizing the notification. Further, referring to the Qiwi API, you check the authenticity.
3) If the API sent a response with a status of 200, do what you need with the notification. If not, then do nothing

Authorization of Qiwi Wallet notifications in Kotlin.
Perhaps this will tell someone how to implement authorization in PHP.

import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
...
private fun checkSignature(req: HttpServletRequest): Boolean {
    val signature: String = req.getHeader("Signature") ?: return false
    val parameters = paymentId + "|" + createdDateTime + "|" + amount.value

    val hmacSha256: Mac = Mac.getInstance("HmacSHA256")
    hmacSha256.init(SecretKeySpec(apiKeyToken.toByteArray(), "HmacSHA256"))
    val result = Hex.encodeHexString(hmacSha256.doFinal(parameters.toByteArray()))

    return signature == result
}

Parameters: paymentId, createdDateTime, amount.value, taken from notification parameters.
apiKeyToken is the same token that is used to authorize requests.