When verifying header signature on Google Cloud functions, one must use request.rawBody. See Cloud run functions documentation. In short, request.body contains the parsed request body while the original payload resides at request.rawBody

I checked Twilio's documentation and here's their example of signature verification using express middleware.

To use expressjs app as cloud function on can simply pass app to the onRequest function.

exports.app = functions.https.onRequest(app);