Trying to implement the secure link md5 token check .

Is there a way to verify secure link i.e. to generate token using secret key and verify the token. If it matches it should allow the request .
And also to allow the request for token which doesn't matches so that while rolling out the update it may happen that some of the client request will come without token .
Those request should also get allowed meanwhile till all the client are updated with new update of enabling token based authentication.

Secondly, Is there a way to implement the token authentication with two secret key i.e primary and secondary
So that If the first one did not work, then try the second one.
This would be helpful while changing the Secret Key in production so that some user will be allowed with old secret and some with new secret whose client has been updated.