Invalid signature
Symptoms
- HMAC verification fails
- Payload rejected as untrusted
Likely causes
- Body parsed before hashing (not raw)
- Wrong signing secret
- Encoding mismatch
How to fix
- Hash the raw body exactly as received
- Use the correct signing secret
- Use `timingSafeEqual`