I pretty much think the problem is in the environment configuration where you have put in the secret key for token verification. Code is not issue as it is working in dev.

Once you have checked code, do check for CORS configuration and database connection.

I dont think architecture is at fault here