JWT includes the hash you are referring to - it's the 3rd segment. You need to verify the postback JWT using your seller secret
.
The iat
and exp
fields (issued at, expiration, respectively) help you with replay issues and the "random sequence" (though not really "random") you are also referring to...
Hth....