Using OAuth to retrieve the host
To keep your embedded apps secure, you're required to lock all communication to the host. The
host is provided as a URL query parameter appended to your application URL when your app is loaded inside the Shopify admin. The
host parameter is an encoded version of the shop origin that is required since App Bridge version 2.0.
After you’ve got the
host parameter, you can use it to initiate App Bridge and then store the App Bridge instance for the duration of the session. It is a good idea to re-use the same App Bridge instance because the
host parameter is only guaranteed on initial load of your app.
Each embedded application URL includes an
hmac query parameter that can be used to authenticate the request from Shopify.
To learn more about this process, review verifying requests from Shopify.