jsonwebtoken is a better/more general use module for signing and verifying.
You shouldn’t be encoding the secret, but base64 decoding the secret before you use it to sign.
Usually with this endpoint the problem is your payload you are signing.
Thats why I linked to a question asked also this week with a similar issue.
return jsonwebtoken.sign(payload, base64.encode(secret), { algorithm: ‘HS256’ });
That should be base64 DECODE.
You are double encoding your secret.