How can I validate the Atlassian Connect /installed callback?

I am building an Atlassian Connect app with Rails. The app will be private but not internal only during its initial launch.

How can I securely associate the security context in the /installed event with the access token I provide them?

Aside from the securityEntitlement number, which “will only be included during installation of a paid app”, there does not seem to be any way to provide the Jira user with a private token I can verify directly from the /installed hook. My current notion is to temporarily cache the security context and add some app enablement user flow to the Jira UI that includes sending along a secret generated by my app. Does anyone have other suggestions?