Building a Node.js endpoint to consume Genesys Cloud webhooks. I’m verifying the X-GCC-Signature header using HMAC-SHA256, but I’m stuck on the replay attack prevention side. The docs mention a timestamp, but the payload doesn’t seem to include one explicitly for signing. Should I be signing the body plus the X-GCC-Request-Timestamp? Here’s my current verification logic:
const sig = crypto.createHmac('sha256', secret).update(body).digest('hex');
Is this enough, or do I need to include the timestamp in the hash?