Complete app shared secret feature

- [ ] Use base64URL and a consistent prefix for the token instead of the current Base64
- [ ] Provide an API for extensions to read a signed token
- [ ] Decide what other information to include in the token, including any additional claims
- [ ] Double check the implementation of encryption