Genesys Cloud webhook signature verification failing

Trying to verify the x-genesys-signature header in our Node.js webhook endpoint to prevent replay attacks. The signature calculation doesn’t match the header value, even though the shared secret is correct. Here’s the verification code:

const crypto = require('crypto');
const signature = crypto.createHmac('sha256', process.env.SECRET)
 .update(req.body)
 .digest('hex');

The generated hash never matches req.headers['x-genesys-signature']. Is the payload encoding different?

req.body is an object, not a string. You need to hash the exact raw payload string that Genesys sent, usually via req.rawBody or by piping the stream, otherwise the HMAC will never match the header.