How does the signature verification actually work for the outbound webhooks? I’ve got a FastAPI endpoint listening for routing:interaction:created but I’m not sure how to validate the X-Genesys-Signature header against my client secret to prevent replay attacks. The docs are vague on the exact HMAC algorithm and payload construction.
Here is my current attempt:
import hmac
import hashlib
def verify_signature(payload: str, signature: str, secret: str) -> bool:
# Is this the right hash algo?
expected = hmac.new(secret.encode(), payload.encode(), hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature)
It keeps returning False. Am I missing a timestamp check?