/// <summary>
        /// Encode a ProxyToken to base64 JWT, and sign it with the private key
        /// provided by the certificate.
        /// </summary>
        /// <param name="payload">
        /// The ProxyToken to be encoded.
        /// </param>
        /// <param name="signingCertificate">
        /// The X509Certificate which includes the private key to sign the JWT.
        /// </param>
        /// <returns>
        /// The base64 encoded JWT with signature appended.
        /// </returns>
        public static string Encode(ProxyToken payload, X509Certificate2 signingCertificate)
        {
            // header, payload and signature are joint by dot
            // header.payload.signature
            var segments = new List <string>();

            // RS256 is the ONLY algorithm that works
            var header = new JwtHeader {
                typ = Type, alg = SigningAlgorithm
            };

            // x5t is the base64 encoded SHA1 hash of the certificate
            // must use SHA1 hash algorithm here
            header.x5t = Base64Helper.Base64Encode(signingCertificate.GetCertHash());

            // header and payload should be encoded using UTF8
            var base64header  = Base64Helper.Base64Encode(Encoding.UTF8.GetBytes(header.ToString()));
            var base64payload = Base64Helper.Base64Encode(Encoding.UTF8.GetBytes(payload.ToString()));

            segments.Add(base64header);
            segments.Add(base64payload);

            // what we sign is the base64 encoded result
            var stringToSign = string.Join(".", segments.ToArray());

            // sign the data: header and payload
            var signature = RSASigningHelper.SignData(
                // data to be signed should use ASCII encoding
                Encoding.ASCII.GetBytes(stringToSign),
                signingCertificate, HashAlgorithm);

            segments.Add(Base64Helper.Base64Encode(signature));

            return(string.Join(".", segments.ToArray()));
        }
        /// <summary>
        /// Decodes the base64 JWT and veries it with the public key
        /// in the certificate provided.
        /// </summary>
        /// <param name="token">
        /// The base64-encoded JWT.
        /// </param>
        /// <param name="signingCertificate">
        /// The certificate with the public key to verify the JWT.
        /// </param>
        /// <param name="verity">
        /// If this value is true, signature verification will be proceeded.
        /// </param>
        /// <returns>
        /// The decoded ProxyToken.
        /// </returns>
        public static ProxyToken Decode(string token, X509Certificate2 signingCertificate, bool verity = false)
        {
            var segments = token.Split('.');

            if (verity)
            {
                // get the signed data by decoding the string with ASCII
                // because when signing it, we use ASCII
                var signedData = Encoding.ASCII.GetBytes(string.Concat(segments[0], ".", segments[1]));
                var signature  = Base64Helper.Base64Decode(segments[2]);

                // veify the signature
                if (!RSASigningHelper.VerifySignature(signedData, signature, signingCertificate, HashAlgorithm))
                {
                    throw new CryptographicException("Invalid signature");
                }
            }

            // decode header and payload
            var header  = Encoding.UTF8.GetString(Base64Helper.Base64Decode(segments[0]));
            var payload = Encoding.UTF8.GetString(Base64Helper.Base64Decode(segments[1]));

            return(JSONObject.Parse <ProxyToken>(payload));
        }