private static byte[] DecodeBytes(string token, object key = null, JwsAlgorithm?expectedJwsAlg = null, JweAlgorithm?expectedJweAlg = null, JweEncryption?expectedJweEnc = null, JwtSettings settings = null, byte[] payload = null, bool requireSignature = false) { Ensure.IsNotEmpty(token, "Incoming token expected to be in compact serialization form, not empty, whitespace or null."); Compact.Iterator parts = Compact.Iterate(token); if (parts.Count == 5) //encrypted JWT { return(DecryptBytes(parts, key, expectedJweAlg, expectedJweEnc, settings)); } else { //signed or plain JWT JwtSettings jwtSettings = GetSettings(settings); byte[] header = parts.Next(); Dictionary <string, object> headerData = jwtSettings.JsonMapper.Parse <Dictionary <string, object> >(Encoding.UTF8.GetString(header)); bool b64 = true; if (headerData.TryGetValue("b64", out object value)) { b64 = (bool)value; } byte[] contentPayload = parts.Next(b64); byte[] signature = parts.Next(); byte[] effectivePayload = payload ?? contentPayload; if (requireSignature && signature.Length == 0) { throw new JoseException("Payload is missing required signature"); } string algorithm = (string)headerData["alg"]; JwsAlgorithm jwsAlgorithm = jwtSettings.JwsAlgorithmFromHeader(algorithm); if (expectedJwsAlg != null && expectedJwsAlg != jwsAlgorithm) { throw new InvalidAlgorithmException("The algorithm type passed to the Decode method did not match the algorithm type in the header."); } IJwsAlgorithm jwsAlgorithmImpl = jwtSettings.Jws(jwsAlgorithm); if (jwsAlgorithmImpl == null) { throw new JoseException(string.Format("Unsupported JWS algorithm requested: {0}", algorithm)); } // If the key has not been specified, attempt to read it from the header. if (key == null && headerData.ContainsKey("kid") && jwsAlgorithm != JwsAlgorithm.none) { if (jwsAlgorithm == JwsAlgorithm.ES256K) { key = (BitcoinPubKeyAddress)BitcoinPubKeyAddress.Create((string)headerData["kid"], jwtSettings.Network); } else { key = (string)headerData["kid"]; } } if (!jwsAlgorithmImpl.Verify(signature, securedInput(header, effectivePayload, b64), key)) { throw new IntegrityException("Invalid signature."); } return(effectivePayload); } }