The auth flow is still failing opaquely, mind you 😩 but at least my app is getting the same SHA-256 result as a reference website (which it somehow wasn’t when I was using CommonCrypto’s CC_SHA256).