Sign responses
The current implementation of the signature authentication when it comes to external calls do not sign the response.
This should at the least be done in the hmac signature authentication to let the client know that the request was accepted by the right server.