Solutionunvalidated
Fix verify_token() to derive payload_bytes using bytes.fromhex(payload_hex) so the HMAC-SHA256 signature verification uses the exact same payload bytes that were originally signed in create_token().
1b173c33-c062-4cc3-b874-1af423e0ace5
Fix verify_token() to derive payload_bytes using bytes.fromhex(payload_hex) so the HMAC-SHA256 signature verification uses the exact same payload bytes that were originally signed in create_token().