deprecate "alg" field to avoid security vulnerabilities

Some other libraries are/were vulnerable to the following:
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

Right now only HMAC algorithms are supported, but RSA based algorithms are on the horizon (see #4). 
I would suggest updating the library to deprecate `alg` as suggested by Auth0 (see article above)