def _verify_signature(self, data): h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.undate(data[:-32]) try: h.verify(data[:-32]) except InvalidSignature: raise InvalidToken