1.重新设置Token验证接口

app/api/controller/v1/Playx.php

@@ -443,12 +443,32 @@ class Playx extends Api
             $client = new \GuzzleHttp\Client($clientOptions);
 
             if ($isAbsoluteVerifyUrl) {
+                $merchantCode = strval(config('playx.angpow_import.merchant_code', ''));
+                $authKey = strval(config('playx.angpow_import.auth_key', ''));
+                if ($merchantCode === '' || $authKey === '') {
+                    return $this->error(__('PlayX API not configured'));
+                }
+
+                // 与 angpow-imports 一致：HMAC-SHA1 → Base64；密钥 hex/base64 兼容；仅 X-Request-Signature 头
+                $reportDate = strval(time());
+                $signatureInput = 'merchant_code=' . $merchantCode
+                    . '&report_date=' . $reportDate
+                    . '&request_id=' . $requestId
+                    . '&token=' . $token;
+                $signature = $this->buildPlayxTokenVerifySignature($signatureInput, $authKey);
+                if ($signature === null) {
+                    return $this->error(__('Invalid signature'), null, 0, ['statusCode' => 500]);
+                }
+
                 $headers = [
-                    'Content-Type' => 'application/json',
+                    'Content-Type'          => 'application/json',
+                    'X-Request-Signature'    => $signature,
                 ];
                 $payload = [
-                    'request_id' => $requestId,
-                    'token'      => $token,
+                    'merchant_code' => $merchantCode,
+                    'report_date'   => $reportDate,
+                    'request_id'    => $requestId,
+                    'token'         => $token,
                 ];
                 $res = $client->post($targetVerifyUrl, [
                     'headers' => $headers,