When we run the management command, the photo_id_key is retrieved
through the orm and so is represented as a string. However, when we do
the initial attempt, the object is instantiated and we refer to the key
without having decoded it. The photo_id_key is sent as a part of the
request to software secure. And if we have a byte representation their
signature checking will fail.
This is why the management command worked even when the site didn't.
It was getting a cleaned key via the orm.
2cae30cd92