- Genesys Cloud v23.1
- Python 3.11
- FastAPI endpoint
- CXone Studio REST proxy
Looking for advice on validating the X-Genesys-Signature header against the raw POST body to block replay attacks. While the initial HMAC-SHA256 check succeeds, identical payloads circulating within the 300-second window trigger immediate failures. Platform SDK parsing outright rejects the base64-encoded timestamp. Strip the Content-Type header before hashing, or does the notification API quietly inject metadata that corrupts the digest?
def verify_signature(payload, sig_header, secret):
timestamp, signature = sig_header.split(‘,’)
expected = hmac.new(secret.encode(), payload, hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature)