I didn’t get a chance to dig into your code, but I wanted to quickly give you a reference/guide. Here is my node js sign script, I use the same module:
I sign it like this:
generateToken = function(yourApiKey, yourApiSecret, yourDate) {
// your date should be Date.now()
var issuedAt = Math.floor(yourDate / 1000);
var payload = {
iss: yourApiKey,
jti: Math.random().toString(),
iat: issuedAt,
exp: issuedAt + 60,
};
var secret = yourApiSecret; // store this securely.
var token = jwt.sign(payload, secret, {
algorithm: 'HS256', // HMAC-SHA256 signing algorithm
});
// console.log('token:', token);
return token;
};
The token is highly time sensitive, that’s why I hit a server to get the correct time. But if you want to rely on your system clock, try syncing it and I’m sure it will fix it. There are many issues about this on the bug forum - https://github.com/mozilla/addons-server/issues/1071