I think I have to give an example first to understand what is meant. It's about encrypting sensitive data such as API access data within the app. For this to be possible we need a secret-key. You can store this secret key on the app's web server. However, if access to the server is obtained through a hack, for example, this secret-key as well as the data encrypted with it are accessible.
Now there are in my opinion two options if you do not want to encrypt the data with a secret-key which are on the same server as the data itself:
1. The user enters a password in the app which is used as a secret-key.
2. The OAuth server (in this case shopify) returns an auth_code / secret during the OAuth process. Because the user has already found with Email + Password in his Shopify store and can only access via apps to the respective app via OAuth. This would save you a renewed input as in point 1.
The question is now there is a matching secret string (secret-key), which is always sent back to the app when the user calls out of Shopify and authenticated by OAuth?
I'm not sure if it might be the authenication_code (code) from
I would be glad about your thoughts. If it's all nonsense, what I'm trying to do here, please tell me with a short explanation.
A very interesting introduction to the topic can be found here under "Secret Key Encryption" https://deliciousbrains.com/php-encryption-methods/