Hmm. I was thinking today if the whole thing of signing string with user-specific secret is the right thing?

What we want to achieve:
Give the user possibility to verify the provided data is authentic.

What we actually do:
Give the user possibility to verify the provided data is authentic and signed with users secret.

I think the latter part is not necessary - as long as user can make sure the data is authentic everything is fine. So probably we can simplify the setup by not needing user-specific secrets...