Setting up a secure endpoint to handle events. The goal is to verify the X-Genesys-Webhook-Signature header to prevent replay attacks. I’m using the Python SDK to validate the payload against the shared secret. The signature matches for the first request, but subsequent identical payloads fail the check. It seems like Genesys is including a timestamp or nonce in the signature calculation that I’m not accounting for, or maybe the order of headers is different than expected.
Here’s the validation logic I’m using:
import hmac
import hashlib
expected_sig = hmac.new(
shared_secret.encode('utf-8'),
body.encode('utf-8'),
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(expected_sig, received_sig):
raise Exception("Signature mismatch")
The received_sig comes from the header X-Genesys-Webhook-Signature. The body is the raw JSON payload. I’ve checked the docs, but they don’t specify if the signature includes the timestamp header or just the body. If I strip the timestamp, it works, but that feels insecure. Is there a specific string format I need to sign? The API returns a 401 if I don’t verify, but I can’t figure out the exact input for the HMAC function.