So, I’m really confused about this optional but highly recommended step for receiving the Events in a registered Webhook target.

As far as I understand the X-Hook-Signature header is the precomputed hash of the data using the shared secret that was exchanged through the initial handshake to create the webhook. If this is correct, from what I understand all I need to do to verify the data is real and that it came from Asana is to use the secret key to compute a hash on the posted data using the HMACSHA256 algorithm and compare it to the X-Hook-Signature value.

However, the X-Hook-Signature header contains a 64 bytes hash, but ALL computed HMACSHA256 are 256 bits, or 32 bytes, so what is going on here? The length of the hashes is a complete mistmatch, so the comparison would always fail. Am I missing something here? Any help would be appreciated.