I’m looking to have clearer understanding of how to use/implement IAP/IAB with the Extension-IAP library. Where is use of the shared secret? How does the sample create credentials? Does it only connect with Apple’s store and Google’s store? Is PayPal possible?

You should probably take a look at the sample source in the Extension-IAP library
You init it that way:

    // Google License key: 
    //TODO: Put in config or anywhere
    #if android
    		var licenseKey:String = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2pAdZ0dPy0sr/75E7U4oSYzDLZ7/Vn8YcfR6SN7R60Ew6chHTzRDWxr2XKjgjs3DixwFgcd5YAEv4zWcQfZSSwrOdjycF/5TUAbbfESWAZgB9UDz0NLl5KXaf+HitTlyshAGq7zpsGA52nsu0B/5JF7Sau27Ul1tzTYBWqiOaOEzjfJJppYxbjjTde/wmsEJ2SjqvoSX0zVM3lxpGGNXkvsPBdK8uT8/WU9w5iD2gW0PNsVbPYP2ceF5Q+mPkCef5XNS+nj5nkFHO3oA2Da4Ep4UELg2iQ7uHN0vFcTTJ3KLovZHWLS6ID72OwzfLtpEO/rzT6nKslDfiWz8oU9jwIDAQAB";
    		#else
    		var licenseKey:String = "";
    		#end
    		IAP.initialize(licenseKey);

As for Paypal, it is usually against store policies to use it for payments in your app (they only allow their own system). Google remove apps using it from the PlayStore when they detect it for example. So the Extension-IAP lib would probably never implement it (although it is quite simple to make a paypal pay buton using the paypal rest api if you want to use it in your app, at the risk of being banned from the commercial stores (if you are targeting alternative stores only, this is a possibility)…)