We have created an app for stores, and will be using webhooks. I have previously registered for webhooks via the GUI, and API, and have validated the HMACs successfully. Currently, I am registering the webhooks using the app token in the header, but am not sure what secret I should be using to validate the webhook once it arrives. When you go through the GUI, you are given a secret on the bottom of the page. When you create a private app, you are given a shared_secret. When the app is installed, all I am getting is a token, so I am not sure what to use to validate the webhook.