Using OAuth to retrieve the host

To keep your embedded apps secure, you're required to lock all communication to the host. The host is provided as a URL query parameter appended to your application URL when your app is loaded inside the Shopify admin. The host parameter is an encoded version of the shop origin that is required since App Bridge version 2.0.

After you’ve got the host parameter, you can use it to initiate App Bridge and then store the App Bridge instance for the duration of the session. It is a good idea to re-use the same App Bridge instance because the host parameter is only guaranteed on initial load of your app.

Verification

Each embedded application URL includes an hmac query parameter that can be used to authenticate the request from Shopify.

To learn more about this process, review verifying requests from Shopify.