Enable rawBody: true in NestFactory.create() options. NestJS will then preserve the raw Buffer alongside the parsed body. Use @RawBody() to inject the buffer for HMAC signature verification while still receiving the parsed DTO via @Body() for business logic.
rawBody: true in NestFactory.create() preserves the original Buffer before JSON parsing.
@RawBody() injects the Buffer — pass it directly to HMAC verification functions like crypto.timingSafeEqual.
Without rawBody: true the body is parsed and the original bytes are lost — signature verification fails.
The alternative is configuring Express body-parser verify callback before NestJS boots — rawBody: true is cleaner.
Use @Headers('stripe-signature') or equivalent to extract the provider's signature header.