Authentication tokens that should be valid were rejected during signature verification.

Authentication tokens that should be valid were rejected during signature verification. In verify_token, payload_bytes was set with payload_hex.encode(), which UTF-8-encodes the hex string rather than reversing the hex encoding from create_token. create_token signs json.dumps(...).encode() and stores payload_bytes.hex(); verification must compute HMAC over bytes.fromhex(payload_hex), not encode() of the hex text.