If the identity is protected by HMAC, that means that data is protected by a symmetric key, and therefore needs to be decrypted/verified in every service using that same private key. In other words every service needs to have the same shared secret. It would be better to use signed tokens (JWT comes to mind) via RSA or preferably EdDSA and verify the tokens using service clients auth, such as this: https://authress.io/knowledge-base/api-authentication-creating-service-client-api-keys