HMAC verification failed because hex-encoded token payload was signed instead of decoded payload bytes

A Python token authentication module created tokens as '.' and signed the original JSON payload bytes. Verification rejected freshly created valid tokens because it recomputed the HMAC over the ASCII hex string rather than the decoded payload bytes.