Rate limiting per guest ID is holding up, but the signature check bombs with a 401 Unauthorized on the second frame after hitting /api/v2/conversations/webmessaging/guests. Redis TTL sits at 300, and honestly, the rotation logic looks fine on paper.
- Generate token via Guest API
- Store encrypted session in Redis
- Validate signature on incoming frames
- Rotate keys every 15 minutes
The crypto.sign() output doesn’t match what Genesys expects, so the Node.js middleware isn’t catching the repeat requests before the encryption key rotation policy kicks in.