First, I should note that you should never put the Firebase Secret in your app. It should always be stored safely on a secure server. Your original question suggested you were sending the token down to a server from the client.
I would suggest having the read_hash be the same as a user id, and then storing a "key" at //key when the user is first created.
Then I'd suggest a rules structure as follows:
{
"rules": {
"$userid": {
".read": "$userid == auth.read_hash",
".write": "!data.exists() || ($userid == auth.read_hash && data.child("key") == auth.write_hash)",
}
}
}