This suggests you didn’t base64 decode the extension secret before use.
And to verify, for JWT verification it’s this secret
