Recently Slack moved from using "Validation Tokens" to validate that Slash Command requests were actually from Slack to signing the requests with a "Client Signing Secret".  This seems like a simple change but turned out to be a huge pain in the butt to figure out.