val expected = hmacSha256(secret, bodyBytes)
val actual = headers["X-Genesys-Signature"]
if (!MessageDigest.isEqual(expected, actual)) throw SecurityException()
My Kotlin consumer is rejecting valid webhooks. The timestamp in the header is a few seconds ahead of my server, causing the replay window check to fail. Is Genesys Cloud signing with the request creation time or the send time? I’m seeing 401 Unauthorized on the webhook delivery logs.