eXistSolutions · duncdrum · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
@@ -8,9 +8,16 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
+    continue-on-error: ${{ matrix.experimental }}
     strategy:
-       matrix:
-         exist-version: [release, latest]
+      fail-fast: true
+      matrix:
+        exist-version: [release, 6.0.1]
+        experimental: [false]
+        # latest might contain breaking changes
+        include:
+          - exist-version: latest
+            experimental: true
     services:
       # Label used to access the service container
       exist:

diff --git a/src/content/jwt.xqm b/src/content/jwt.xqm
@@ -84,8 +84,13 @@ declare function jwt:read ($token as xs:string, $secret as xs:string, $lifetime
 };
 
 declare function jwt:sign ($data as xs:string, $secret as xs:string) as xs:string {
+    (:
+     : This is a band-aid for the output of crypto:hmac being cast to a base64 encoded xs:string
+     : which uses + and / characters. Since util:base64-encode-url-safe cannot operate on binary data,
+     : we do a manual replacement here.
+     :)
     crypto:hmac($data, $secret, "HMAC-SHA-256", "base64")
-    => util:base64-encode-url-safe()
+    => translate("+/=", "-_") 
 };
 
 (:~
@@ -116,7 +121,7 @@ declare function jwt:epoch-to-dateTime($ts as xs:integer) as xs:dateTime {
 declare
 function jwt:encode ($data as item()) as xs:string {
     util:base64-encode-url-safe(
-        serialize($data, map { "method": "json" }))
+        serialize($data, map { "method": "json", "indent": false() }))
 };
 
 declare