We are implementing signature verification for CXone webhooks to prevent replay attacks, but the HMAC check is consistently failing. The incoming headers contain x-nice-signature and x-nice-timestamp, yet our Node.js verification logic returns a mismatch. We have confirmed the shared secret is correct and the payload is parsed identically to the incoming request body. Here is the verification snippet we are using. Any ideas on what is causing the drift?