Don't have an app yet? Follow the instructions here.
Each app comes with a client ID, client secret, and signing secret.
The client ID and client secret can be used to generate a bot access token or an access token that impersonates a member. The bot access token can perform all actions that a community admin can perform. The member access token has the same permission as the impersonated member.
Tribe uses the signing secret to sign all webhook requests. This can be used on your side to confirm the requests are coming from Tribe.
As the app developer, you should make sure the client secret and signing secret are not shared or commited to public repositories.