Authenticating the request coming from JSON panel in Pipedrive


I have a question about the request that Pipedrive makes to apps in order to render a JSON panel. I see that along with request Pipedrive passes companyId and userId parameters. What’s the suggested practice of matching these to a user in a multi tenant app, where there could be several integrations/connections to the same Pipedrive company?

thank you!