If you haven’t done so already you should perform these steps:
- capture the token you receive; for example, using a console.log statement given this is in development.
- review the captured token; does it look like a JWT?
- if its a JWT and you can parse it at jwt.io then update the API to log the received token before trying to validate it; does the received token match the one you expect?
In conclusion, try to take steps that allow you to gather a bit more of information.