We are implementing a webhook consumer for Genesys Cloud events. The goal is to validate the X-Genesys-Signature header to ensure payload integrity and prevent replay attacks. The documentation mentions HMAC-SHA256, but the exact base string is unclear. Is it the raw body or URL-encoded? Here is the current logic, which fails validation:
import hmac
sig = hmac.new(secret.encode(), body.encode(), 'sha256').hexdigest()
The signature never matches. What is the correct input for the HMAC calculation?