@mariusor are you aware of Authorized Fetch and doing it that way?
I'm not a programmer or dev, so I'm not sure how HTTP signatures normally work, but I have seen multiple devs doing the same sort of work that were completely unaware of Mastodon's proprietary "Authorized Fetch" feature that deals with http signatures in some way that's important.
Thought I'd mention it, just in case there's another way to do them that isn't the Mastodon "Authorized Fetch" way, possibly causing issues.🤷♂️