I had a similar requirement to authenticate the request with HmacSha256 and i was able to implement it by using the code below.

You can pass the HMAC signature in the headers which should be generated with the payload and system defined HMAC secret key(only source and your app have access to the secret HMAC key).

Eg to verify the signatures:

1. Extract the text of the UTF-8 payload as a string. The entire body of the POST request is used, including line endings.
2. Compute a SHA256 HMAC digest for the strigified payload.
3. Compare the base64 digest to the value of the x-hmac-signature header. Computed digest must exactly match its corresponding header value. If there is no match, then the request may be compromised and it should not be trusted

Example Outbound data with the HMAC key -

var body ='sample_data';
var mac = new GlideCertificateEncryption;
var key = "sample_key";                              //can be defined in a property
key = GlideStringUtil.base64Encode(key);
var hash = mac.generateMac(key, "HmacSHA256", body);
 

var request = new sn_ws.RESTMessageV2();
request.setEndpoint('https://{instance_name}/api/rao/testapi');         //Scripted rest api
request.setHttpMethod('POST');
request.setRequestHeader("x-hmac-signature",hash);

request.setRequestBody(body);
request.setRequestHeader("Accept","application/json");

var response = request.execute();

Inbound Scripted rest Api to authenticate the request with HmacSHA256 -

var requestBody = JSON.stringify(request.body.data);
var requestHeaders = request.headers;

var mac = new GlideCertificateEncryption;
var key = 'sample_key';                       //should match the source system
key = GlideStringUtil.base64Encode(key);
var signature = mac.generateMac(key, "HmacSHA256", requestBody);

if (requestHeaders["x-hmac-signature"] === signature) {

//Process the request

} else {

gs.info("Authentication failed ");

}