HMAC signature mismatch: payload_hex.encode() vs bytes.fromhex() in token verify

Auth module creates tokens by signing raw JSON bytes, but verify_token re-signs the hex-encoded string bytes instead. Signature always mismatches, causing all valid tokens to be rejected.