Validating the Token HMAC
To validate the token has not been tampered with by the client, TokenEx performs an Hash-based Message Authentication Code (specifically HMAC-SHA256) of the token value returned in the response using your Client Secret . To validate message authenticity, simply perform the HMAC-SHA256 function on the token value using your Client Secret as the HMAC key and validate it matches the value returned from our server. The validation should be performed on your server (not on the mobile device).