Each client holds a secret. The secret is used as passphrase for the keys (or only one key?) on the master.
The secret is also used to create a hmac that validates that the data stored in db.json has not been tampered with. This is done by created an hmac of the data in db.json and the secret. The hmac is saved in db.json alongside with the data. Next requset to the server from a client the hmac is recreated and matched against the stored hmac to verify that the data is not changed.