An endpoint receiving a token it did not generate MUST treat the token as opaque and make no assumptions about its content or structure.
But CoAPthon assumes that a received token is an utf-8 encoded string. This behavior causes the server to crash if the received token does not contain a valid utf-8 byte sequence.
From RFC 7252, section 5.3.1:
But CoAPthon assumes that a received token is an utf-8 encoded string. This behavior causes the server to crash if the received token does not contain a valid utf-8 byte sequence.