My lti 1.3 tool oidc_initiation_url is receiving an lti_message_hint of

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXJpZmllciI6ImRjYzhhNzNjYjUxMzFjY2UxNjcwZmRjYWU4MzM3NjRmOGU3MTJlNTBjNTJiODc2YWJiODk3OGY2MjMwMzczMGJkZmFiZDUwMTgwOWMxZWI5MmY3ZWZhMTE1NmY2Y2Y0NDhmZTA0NWQzMTM4NDhmOTgyYTllYjI2YzM0MTQzNDk2IiwiY2FudmFzX2RvbWFpbiI6ImhlcnRzLnRlc3QuaW5zdHJ1Y3R1cmUuY29tIiwiY29udGV4dF90eXBlIjoiQ291cnNlIiwiY29udGV4dF9pZCI6MTA3NzUwMDAwMDAwMDAwMDAxLCJleHAiOjE2MjM5Mjc2Mjxx.JK3m-OxX1MONpYrwZTKDYwV3b-uqmjUBHz_Ip6WaG8s

When decoded, this equates to having a header of {"typ":"JWT","alg":"HS256"}

When I try to use HS256 and the Canvas Developer Key as the secret I cannot match the signature I generate with the signature on the JWT in lti_message_hint.

Two questions...

Why is the lti_message_hint being passed as HS256 instead of RS256? I set the Developer Key up using RS256 and provided a JWK so the public key could be used by Canvas.

If I need to use HS256 to verify the JWT in lti_message_hint, then please could someone clarify what I should be using as the shared secret? I have tried both Developer Key and Public Key and neither return the same signature as passed in the JWT.

I have failed to find any Canvas documentation that explains how the signature is being generated for the lti_message_hint JWT.

Thank you.