Private image bad hex encoding? Sveltekit

I get the error: ERROR 9425: Image access denied: sig query-string argument is not properly hex-encoded (must be 64 hex chars). or error: ERROR 9425: Image access denied: check failed: Malformed data found: The URL signature does not match. Expecting SHA-256 HMAC of the path without domain nor query string when using the signed url function.

I’m trying to provide private images on Sveltekit using the signed URLs procedure. Cloudflare provides this as a designated Worker though Sveltekit uses its own server endpoints to create Page functions so I’ve placed the provided solution for signed URLs by Cloudflare:
https://developers.cloudflare.com/images/cloudflare-images/serve-images/serve-private-images-using-signed-url-tokens into either the src/lib folder as a normal function, and as a server endpoints (+server.ts).
Below is my code. From the copy-pasted code from the Cloudflare page, I’ve only changed:

  1. the parameter to accept the url as a string instead of URL type, and moved the URL mutations into the main function instead of before the function call argument.
  2. return the new generated url as a string instead to be able to plop right into my src attribute
  3. inserted my imported key.

When I console log the result of the function, I get a url like this: https://imagedelivery.net/Zwety7eez57My5vN6lsp1g/2b49sa2n-3163-4335-14zt-c49fb388e401/w640?exp=1690438557&sig=c2d1d9342b8785fedaa53a2b03362afc55a951375684a60c256a272de7beb94c .Which has the 64 character hex sig query param, w640 is a valid variant and everything looks correct based on the comments in the official CF doc page code snippet.
I see the error from the Network tab in DevTools, and also from using Postman/Insomnia.

Why isn’t it working?
Thank you

import { CF_IMAGES } from "$env/static/private";
const EXPIRATION = (60 * 60 * 24) * 5; // (1 day) * 5

https://imagedelivery.net/Zgety72ez9NMy5vNjlIElg/2c297121-0533-4e55-54ab-c87fb084e401/?exp=1690438557&sig=c6d5d7764e8525ffeaa78a2f03965cec55a952373634a69c653a171de4ceb85c/w640


const bufferToHex = buffer => [...new Uint8Array(buffer)].map(x => x.toString(16).padStart(2, '0')).join('');


export async function generateSignedUrl(urlR: string) {
  const url = new URL(urlR);

  const encoder = new TextEncoder();
  const secretKeyData = encoder.encode(CF_IMAGES);
  const key = await crypto.subtle.importKey(
    'raw',
    secretKeyData,
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );

  const expiry = Math.floor(Date.now() / 1000) + EXPIRATION;
  url.searchParams.set('exp', expiry);

  const stringToSign = url.pathname + '?' + url.searchParams.toString();

  const mac = await crypto.subtle.sign('HMAC', key, encoder.encode(stringToSign));
  const sig = bufferToHex(new Uint8Array(mac).buffer);

  url.searchParams.set('sig', sig);
  return url.toString();
}

Turns out that I wasn’t using the correct API key. Using the general account key rather than the particular images key.
Not sure how to mark this as resolved