I have found the same behavior for the Viewers JWT generated by the local developer-rig. I’m not able to validate them.
However, I’m able to successfully validate the tokens generated for the broadcaster in the “live config” page. I’m validating this with the secret that I set up.
Is it possible that some tokens are generated using some default/hardcoded password?
I’ll try to find it out checking the developer’s rig code.
EDIT:
I have just seen that the token given to a “Logged-In Viewer” is signed with the default developer-rig secret.
Am I missing to add my custom password somewhere?