How to validate Desk Iframe Sidebar html_key

I’m trying to integrate Desk Iframe Sidebar and having a hard time understanding the documentation about how to verify the payload.

What I get on the header is x-secret-token (and of course html_key and agent_id on the query params).

The documentation mentions x-hub-signature but I don’t get it on the headers.

I tried creating a sha-256 with master_api_key / with x-secret-key, with agent_id as body, but none are equal to html_key.

(BTW, I am able to verify Chat Webhooks, Desk Webhooks and Chat Bot Callbacks with creating proper hmacs).

So, how should we verify html_key?
Thanks.