Setting up a webhook endpoint to catch routing events. Need to verify the signature header to block replay attacks. The docs mention using the secret key to generate a hash, but the example is vague on the exact payload string format.
Here is the Python snippet I have so far:
import hmac
import hashlib
def verify_signature(payload, signature, secret):
expected = hmac.new(
secret.encode('utf-8'),
payload.encode('utf-8'),
hashlib.sha256
).hexdigest()
return hmac.compare_digest(expected, signature)
The issue is what exactly goes into payload. Is it the raw JSON body string? Or the JSON body plus the timestamp header? If I just pass the raw request body, the hash never matches.
Also, should I be checking the X-Genesys-Webhook-Signature header specifically? The event payload includes a timestamp field, but I’m not sure if that needs to be concatenated before hashing.
Getting a mismatch every time. Am I missing a step in the encoding process?