Hmm. I was thinking today if the whole thing of signing string with user-specific secret is the right thing?
What we want to achieve:
Give the user possibility to verify the provided data is authentic.
What we actually do:
Give the user possibility to verify the provided data is authentic and signed with users secret.
I think the latter part is not necessary - as long as user can make sure the data is authentic everything is fine. So probably we can simplify the setup by not needing user-specific secrets...
How do you propose to validate the content without a secret ?
-Not only the sender, but also that the contents have not been tampered with.
If the server is compromised, all bets are off, but the user secret means you need to know url, address and secret to fake a call.
If that secret is a user "defined" one, or a ssl key or something else, is maybe the same.