Setting up an OTel consumer for Data Action events. Need to verify the X-GC-Signature header to block replay attacks.
Using Python’s hmac library but the hash never matches. Am I using the wrong secret? Is it the client ID or the webhook secret?
sig = hmac.new(secret.encode(), body.encode(), hashlib.sha256).hexdigest()
The header looks like sha256=abc123.... What exactly is the payload string for the hash calculation?
The secret isn’t the client ID. It’s the webhook-specific secret you get when you create the subscription in the UI or via the API. Also, your Python snippet is missing the timestamp handling. Genesys sends X-GC-Timestamp too.
Here’s how we do it in C#. You need to concatenate the timestamp and body before hashing.
var timestamp = Request.Headers["X-GC-Timestamp"];
var bodyString = await new StreamReader(Request.Body).ReadToEndAsync();
var payload = timestamp + bodyString;
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(webhookSecret));
var hash = Convert.ToHexString(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload)));
var expected = $"sha256={hash}";
var actual = Request.Headers["X-GC-Signature"];
if (!CryptographicOperations.FixedTimeEquals(Encoding.UTF8.GetBytes(expected), Encoding.UTF8.GetBytes(actual)))
{
return Unauthorized("Invalid signature");
}
The docs say “sign the message”, but they don’t explicitly show the timestamp concatenation in every example. It’s a common trip-up. Make sure your server time is synced too. If the timestamp is older than 5 minutes, Genesys rejects it anyway.