ZegnatI started tinkering just to replace the MD5s with proper HMAC (which is what you want, the token is then a signed message). And then my tests break, and turns out there were bugs elsewhere. So not sure what path I should take now :p I’ll keep hacking at it until it works again, I guess :)
