We’re setting up a custom webhook consumer in our New Relic integration pipeline to capture interaction events. The goal is to validate the X-GC-Signature header to ensure the payload hasn’t been tampered with or replayed. We have the signing key stored securely, but every verification attempt fails with a mismatch error.
Here’s the Node.js snippet we’re using to verify the signature:
const crypto = require('crypto');
function verifyWebhook(payload, signature, timestamp, secret) {
const stringToSign = timestamp + '.' + payload;
const hmac = crypto.createHmac('sha256', secret);
hmac.update(stringToSign);
const digest = hmac.digest('base64'); // This feels wrong
return digest === signature;
}
The issue seems to be how we’re encoding the HMAC digest. The documentation says it’s a SHA-256 HMAC, but it doesn’t explicitly state the encoding format for the header value. We tried base64 and hex, but neither matches the X-GC-Signature header coming from Genesys Cloud.
For example, our calculated digest looks like a1b2c3d4... (hex) or YTFiMmMzZDQ... (base64), but the header value is significantly shorter and contains characters like - and _.
Is the signature URL-safe base64 encoded? Or are we missing a step in constructing the stringToSign? The timestamp in the header is in milliseconds, which we’re using directly.
We’ve also checked that the payload we’re signing is the raw body, not parsed JSON. Any pointers on the exact encoding expected by the Genesys Cloud API?