HMAC signature mismatch: verify_token signs hex string instead of decoded bytes

In a custom JWT-style auth module, tokens created by create_token() always fail signature verification in verify_token(). Valid tokens are rejected — no tampered tokens needed to reproduce.