Actually, I don't think hubs should store the verify_token beyond the subscription verification request -- as I understand things, it's only purpose is to "authenticate" the hub sending the verification request, and is of no further use after that (the hub.secret value serves that purpose for content distribution requests). In fact, in my code, I purge the verify_token value after validating it in my processing of the subscription verification request, so that it can't be used again by an imposter hub that has sniffed its value.
But then again, I'm kind of new to this stuff, so I could be interpreting things incorrectly. Please see my related comment in the "removal of verify_token" topic. -Andy
