Trying to verify the X-Genesys-Signature header to block replay attacks on my EventBridge consumer. The signature matches for the initial payload, but it fails validation when the event is redelivered with a different timestamp. Is the signature calculation supposed to include the X-Genesys-Event-Time header or just the body hash?
HMAC_SHA256(secret, payload)
The docs are vague on whether the timestamp is part of the signed data.