def make_signed_system_token(system_user_token: str, private_key_pem: str) -> str:
    # 1) stamp in UTC like yyyyMMddHHmm
    ts = datetime.now(timezone.utc).strftime("%Y%m%d%H%M")
    to_sign = f"{system_user_token}.{ts}".encode("utf-8")

    # 2) load your RSA private key (PEM, PKCS#1 or PKCS#8)
    key = serialization.load_pem_private_key(
        private_key_pem.encode("utf-8"), password=None
    )

    # 3) RSA-SHA256, PKCS#1 v1.5 padding, then Base64 (standard, not URL-safe)
    signature = key.sign(to_sign, padding.PKCS1v15(), hashes.SHA256())
    sig_b64 = base64.b64encode(signature).decode("ascii")

    # 4) final SignedSystemToken
    return f"{system_user_token}.{ts}.{sig_b64}"


# print(load_rsa_private_key_pem(PEM_STR))  # test loading key
print(make_signed_system_token(SYSTEM_USER_TOKEN, PEM_STR))