The HTTP post request will contain an X-Hub-Signature header with the SHA1 signature of the post payload. The signature is calculated using the keyed-hash message authentication code (HMAC) where the key is the app secret. The signature is then prefixed with sha1=.
https://developers.facebook.com/docs/messenger-platform/webhook