tranquil-pds/crates/tranquil-api/src/server/service_auth.rs has this line:
let lxm_for_token = lxm.map_or("*", |v| v.as_str());
which defaults the lxm field to *, but the NSID spec seems to refer to this as only allowed in a "group or pattern of NSIDs", not a proper NSID.
As a result jacquard (and probably other libraries) fail to parse the claims on a tranquil-generated service auth token with lxm=*.
It's also worth noting that explicitly requesting an lxm of * fails NSID validation on both Tranquil and the reference PDS, as expected.
The way the reference PDS handles this type of request is to just omit the lxm field entirely (since it isn't a required field).
ah that does seem to be straight up counter to spec yea. shouldnt be too bad a fix ill get it done soon. thank you!