These are more questions than suggestions.
Wondering why the required response isn't just "200" not 2xx. Wondering why the hub.challenge is naked in the response body, seems more symmetrical to send it back the same way you got it, as a name/value pair. If it's going to be naked, why not just stick it in a header? -Tim
