I finally killed a sticky webhook bug

Postman said 200, the vendor kept logging 401.
My “the requests are identical” assumption died the moment I added structured logs for method, headers, and the raw body hash.
Two culprits showed up fast: their request had application/json; charset=utf-8 and a different signature header name than I was reading.
Worse, I was verifying the HMAC over a parsed JSON object, not the original bytes—tiny whitespace and key-order changes meant a different digest.
The fix was boring but effective: turn off automatic body parsing to capture raw bytes, compute HMAC on those bytes, read the exact signature header, and normalize the route (no surprise trailing slashes).
Browser GETs now get a proper 405, Postman still returns 200, and vendor callbacks are 200 at last.
Lesson learned: only logs beat vibes—hash the bytes you actually receive, not the object you hope you got.