How to securely verify store from which an API request originates?

New Member
1 0 1

I am trying to determine which shop a user request originates from on my server. I am aware of the shopOrigin cookie, but want to know how to verify that the cookie is valid (not altered by a third party). I've taken a long look at this question as well as this development tutorial on verifying requests from shopify.

I am aware that the shopOrigin cookie includes a signature cookie, but I don't think I can verify it using that signature because that would require the secret key, correct? I also explored using the hmac verification from the tutorial linked above, however, it also mentions that you would have to hash the message with a secret key which also does not make sense to me as I would not have the secret used to generate the request which originates from the store, correct?

In essence, my question is: if the user takes an action in my embedded app that triggers a request to my API - how can I identify which shop that request came from and verify that no one has changed the identifier for the sake of security.

I have access to the shopOrigin cookie from the request, but I have been able to change the value in browser and send the altered value to my API. 

I am new to shopify development so any help is appreciated, thank you all for your time!